I've figured out a fairly secure program structure.  Here's one option
(I'm sure there's as many ways to accomplish similar security as there
are people on this list):

First, a little info about the environment.  It's a Linux OS running
Apache Web Server.  Multi-user environment providing hosting to multiple
domains.  Development is done on Windows boxes.

Now, to accomplish security and keep it relatively well hidden took some
doing.  First, I use what I call 'control files'.  These are the only
files in the Web accessible directory tree (i.e.
www.interkan.net/News/index.phtml).  These files contain only code to
process submitted commands (or default ones should no command be
submitted) and include the proper files (config module which is where
the mySQL access info is stored, global code libraries, and the actual
code modules to handle submitted data).

The included modules are all kept in a PHP include directory in the
appropriate user directory (i.e. /home/user/php-inc/<app-name>).  Due to
restrictions, we have to have the files themselves with 644 permissions
(so the Web server can read them), but the directory permissions for
php-inc and php-inc/<app-name> are set to 711.  The permissions work out
that no one can read the files unless they (1) know the exact path and
filename and (2) have shell access to the server (the only people that
have that are employees).

This helps in a couple ways.  If the PHP process ever dies, all someone
will see when going a PHP file is the file comment block, the file
include information (not necessarily good, but they'd have to get into
the server with a shell account first), and some if and switch
statements.  It also narrows down any security breaches to someone who
had access to the system, instead of the entire Internet community.
______________________________________________
Peter Adams            [EMAIL PROTECTED]
Web Developer          http://www.interkan.net
InterKan.Net, Inc.     (785) 565-0991



> -----Original Message-----
> From: Duky Yuen [mailto:[EMAIL PROTECTED]] 
> Sent: Sunday, January 27, 2002 6:38 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: [PHP-DB] [PHP] PHP and MYSQL Security`
> 
> 
> How can I secure my username and password? In 1 of my files, 
> it contains the following:
> 
>     $conn = mysql_connect( "12.34.56.78", "username", "password");
>     mysql_select_db("database",$conn);
> 
> What should I do, so people can't get this information?
> 
> Duky
> 
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: 
> [EMAIL PROTECTED]
> 


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to