即时通讯在网络编程总的初学者。我试着去创建一个简单的网站，从SQL数据库中读取数据。起初，我只是直接写我的数据库密码，然后登录到PHP code：

im a total beginner in web programming. Im trying to create a simple website that is reading data from a SQL Database. At first i just wrote my database password and login directly into the php code:

<?php
$username = "login";
$password = "pw";
mysql_connect("server", $username, $password);
...
?>

这显然不是一个很好的主意！那么，什么是（多）更安全的方式来做到这一点？我读到把PHP code到一个单独的文件，这意味着不能进入该网站的主要的PHP文件，然后限制访问该文件。也许通过.htaccess文件。这是要走的路？

This obviously isn't a very good idea! So what is a (much) more "secure" way to do this? I read about putting the php code into a seperate file, meaning not into the main php document of the website, and then restricting the access to that file. Maybe by a .htaccess file. Is this the way to go?

推荐答案

在的config.php 文件和的.htaccess 是经典/好走。它的方式，它通常与CMS或框架完成。

The config.php file and the .htaccess is a classic/good way to go. It's the way it is usually done with CMS or frameworks.

正如由 JohnP ，也可以存储的config.php 公开目录之外下，这意味着它不能被通过HTTP访问。这仅仅是更好地为安全一点（如果你不犯错误与你的.htaccess，没有更多的风险）。

As pointed by JohnP, you can also store the config.php outside of the public directory, that means that it can't be accessed via HTTP. This is only a little better for security (if you don't make a mistake with your .htaccess, there is no more risks).

文件结构，例如：

这样一来， http://www.your-site.com/ 指向公共/ ，所以没有办法访问配置。但这种解决方案意味着你可以改变根Web目录（或者说，它已经是这样的）。

That way, http://www.your-site.com/ points to public/, so there's no way to access the config. But this solution implies that you can change the root web directory (or that it is already like that).

最后，你要记住，设置该文件的可读和可写的Apache用户只是，不是每个人都（UNIX文件访问权限），因此，如果有人获得通过另一个用户访问您的服务器，他将无法读取该文件。

Finally, you have to remember to set this file readable and writeable by the Apache user only, not everyone (unix file access rights), so that if someone gain access to you server through another user, he can't read the file.