I've figured out a fairly secure program structure. Here's one option (I'm sure there's as many ways to accomplish similar security as there are people on this list):
First, a little info about the environment. It's a Linux OS running Apache Web Server. Multi-user environment providing hosting to multiple domains. Development is done on Windows boxes. Now, to accomplish security and keep it relatively well hidden took some doing. First, I use what I call 'control files'. These are the only files in the Web accessible directory tree (i.e. www.interkan.net/News/index.phtml). These files contain only code to process submitted commands (or default ones should no command be submitted) and include the proper files (config module which is where the mySQL access info is stored, global code libraries, and the actual code modules to handle submitted data). The included modules are all kept in a PHP include directory in the appropriate user directory (i.e. /home/user/php-inc/<app-name>). Due to restrictions, we have to have the files themselves with 644 permissions (so the Web server can read them), but the directory permissions for php-inc and php-inc/<app-name> are set to 711. The permissions work out that no one can read the files unless they (1) know the exact path and filename and (2) have shell access to the server (the only people that have that are employees). This helps in a couple ways. If the PHP process ever dies, all someone will see when going a PHP file is the file comment block, the file include information (not necessarily good, but they'd have to get into the server with a shell account first), and some if and switch statements. It also narrows down any security breaches to someone who had access to the system, instead of the entire Internet community. ______________________________________________ Peter Adams [EMAIL PROTECTED] Web Developer http://www.interkan.net InterKan.Net, Inc. (785) 565-0991 > -----Original Message----- > From: Duky Yuen [mailto:[EMAIL PROTECTED]] > Sent: Sunday, January 27, 2002 6:38 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: [PHP-DB] [PHP] PHP and MYSQL Security` > > > How can I secure my username and password? In 1 of my files, > it contains the following: > > $conn = mysql_connect( "12.34.56.78", "username", "password"); > mysql_select_db("database",$conn); > > What should I do, so people can't get this information? > > Duky > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: > [EMAIL PROTECTED] > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
