Steven,
I'm currently running a LAMP setup much like the one you described. A
plain text username and password is really the best way to go for giviing
PHP what it needs to access MySQL. There are other options, but they are a
lot of work to implement and in my opinion not worth the extra effort. It
is easier to use your existing setup to safeguard a plain text password than
to write your own scheme.
For starters, if you are using a shared machine then you want to avoid
storing anything secure in a world-readable directory. Next, MySQL
databases are normally secure, but the software designed to access them may
not be. I've run into situations where hackers have been able to roam
freely through other people's databases because some buggy front-end
software packages were running as root. I wouldn't install any web-based
GUIs on your machine or give others the ability to do so--handle everything
from a secure shell or by sitting physically at the server. The most secure
site will be on its own machine with very limited access.
Now, for the actual password file that PHP uses: Place the password file
outside of your htdocs directory in a place that PHP has access to (normally
it's running as root, so a dir with root as owner and a 700 mode permission
is optimal). For convenience, I normally put secure information like this
as a defined constant in a configuration file and just have my PHP scripts
include() it. Included files prevent sensitive information like this from
benig dumped to the screen if something goes wrong with your setup. Also,
be sure to disable error_reporting and enable error_logging in your php.ini
file and strip out any code that prints MySQL error messages to the
screen--these are all ways someone can gather information about the internal
workings of your setup.
Lastly, the MySQL user you set up to read your permissions table should be
a special user. Make a new MySQL user account and grant it select
privileges on that table only. That won't completely protect you but it
will keep an unauthorized user from mucking up your databases and from
gaining access to MySQL's own password information.
I hope that helps!
-Rob
-----Original Message-----
From: Lefevre, Steven [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 5:00 PM
To: [EMAIL PROTECTED]
Subject: Designing a secure database?
I'm working on a website/database deal, and right now I'm designing the
security model.
It's using LAMP(HP), so all the tricks are going to be through PHP.
First off, this will be behind a firewall with SSL encryption. We may also
setup some kind of VPN tunneling.I'll be ignoring other security details
that don't apply to the problem at hand, but please feel free to suggest.
I'm going to have users enter a username and password, with PHP emulating
the htaccess dialogue boxes. I would like to check the entered values in a
permissions table. This table looks like:
username | passwordhash | ipaddress | permission
All users will have a static IP, so they have to match the
username-password-ipaddress combination. I'm storing the passwords as an MD5
hash in case someone breaks in and reads the table.
So what MySQL user does PHP log onto as the database as, in order to read
the permissions table? (After that, we just go with the logged user's
permission). If I make a special user that just has permission to read the
permission table, do I have to store that user's password plaintext in a php
script somewhere, thus adding a security risk if someone were to get a hold
of that password?
Steve
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
