php-general Digest 20 Aug 2011 15:59:02 -0000 Issue 7449
Topics (messages 314573 through 314579):
Newbie security database connection question
314573 by: DealTek
314574 by: Midhun Girish
314575 by: Tamara Temple
how catch a warning by file_put_contents() ?
314576 by: Andreas
314577 by: Simon J Welsh
314578 by: Adam Richardson
Re: Can't create new projects with Netbeans as nonadmin
314579 by: Daniel Brown
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Hello,
NEWBIE: I have a security question:
When working with PHP and MySQL, it seems that a one method is to create a
connection.php page to the database that will store the connection parameters
such as username, password and URL ip in clear text and include this on various
pages.
Since hackers seem to be getting better and better every day:
- Is this common practice to store this security data in the clear on the PHP
webpage?
- Wouldn't it be possible for a hacker to SNIFF around and pick up this
sensitive "clear text" security data?
- Is there some better, more secure way to communicate from the website to the
MySQL data source that is somehow sending encrypted information rather than
clear text back and forth?
Thanks in advance for your help.
--
Thanks,
Dave - DealTek
[email protected]
[db-11]
--- End Message ---
--- Begin Message ---
On Sat, Aug 20, 2011 at 6:22 AM, DealTek <[email protected]> wrote:
> Hello,
>
> NEWBIE: I have a security question:
>
> When working with PHP and MySQL, it seems that a one method is to create a
> connection.php page to the database that will store the connection
> parameters such as username, password and URL ip in clear text and include
> this on various pages.
>
> Since hackers seem to be getting better and better every day:
>
> - Is this common practice to store this security data in the clear on the
> PHP webpage?
>
> - Wouldn't it be possible for a hacker to SNIFF around and pick up this
> sensitive "clear text" security data?
>
> - Is there some better, more secure way to communicate from the website to
> the MySQL data source that is somehow sending encrypted information rather
> than clear text back and forth?
>
> Thanks in advance for your help.
>
>
You can encrypt the access credentails using some public key encryption
technique like RSA and then decode it inside php before connecting to db...
But still you have to store the private key in plain text somewere...
OR may be you can use 'hard to guess substitution ciphers' [i dunno if tht
exists] or create an encryption logic of your own and then use it to encrypt
the dataabse uname and pass.....
Regards
Midhun Girish
--- End Message ---
--- Begin Message ---
On Aug 19, 2011, at 7:52 PM, DealTek wrote:
Hello,
NEWBIE: I have a security question:
When working with PHP and MySQL, it seems that a one method is to
create a connection.php page to the database that will store the
connection parameters such as username, password and URL ip in clear
text and include this on various pages.
Since hackers seem to be getting better and better every day:
- Is this common practice to store this security data in the clear
on the PHP webpage?
- Wouldn't it be possible for a hacker to SNIFF around and pick up
this sensitive "clear text" security data?
- Is there some better, more secure way to communicate from the
website to the MySQL data source that is somehow sending encrypted
information rather than clear text back and forth?
Thanks in advance for your help.
If your web server and MySQL server are running on the same host, make
sure your db user only has access via localhost.
If your web server running php is on a different host from your MySQL
server, set the host access for that db user to only allow access from
the web server host. If you are running MySQL 5, you can secure the
connection using SSL to ensure that a sniffer will have a much more
difficult time stealing your credentials. Another way is to set up an
SSH tunnel.
A couple other things:
* generally, it is considered a good practice to store access
credentials used by a php application *outside* the web server's
visibility.
* include the php script in whatever other main scripts your
application has, and make it readable only to the web server user/group.
* if anything else, make sure the file has the extension .php and the
credentials are inside the php code space so it can't be downloaded
directly by a web user.
--- End Message ---
--- Begin Message ---
Hi,
I wrote stuff with file_put_contents() in a try{} catch{} and it worked.
Then I'd like to check what happens when some error occurs so I
writeprotected the targetfile.
Instead of getting my own message by the catch{} block I got a standard
warning in the browser.
Can't I catch those warnings, too?
And why does this function rise a warning when it can't acomplish it's task?
Samplecode:
try {
$msg = date ("d.m.Y H:i:s") . 'This should be stored in the file.';
file_put_contents( '/tmp/exceptions.txt', $msg . "\n",
FILE_APPEND);
}
catch ( Exception $e ) {
$msg = "Exception " . $e->getCode() . " / " . $e->getMessage();
echo "<p>$msg</p>";
}
--- End Message ---
--- Begin Message ---
On 20/08/2011, at 4:51 PM, Andreas wrote:
> Hi,
> I wrote stuff with file_put_contents() in a try{} catch{} and it worked.
>
> Then I'd like to check what happens when some error occurs so I
> writeprotected the targetfile.
> Instead of getting my own message by the catch{} block I got a standard
> warning in the browser.
>
> Can't I catch those warnings, too?
> And why does this function rise a warning when it can't acomplish it's task?
>
>
> Samplecode:
> try {
> $msg = date ("d.m.Y H:i:s") . 'This should be stored in the file.';
> file_put_contents( '/tmp/exceptions.txt', $msg . "\n", FILE_APPEND);
> }
> catch ( Exception $e ) {
> $msg = "Exception " . $e->getCode() . " / " . $e->getMessage();
> echo "<p>$msg</p>";
> }
file_put_contents() doesn't throw exceptions. As the note on the exception
documentation says: "Internal PHP functions mainly use Error reporting, only
modern Object oriented extensions use exceptions."
If you look at the documentation for its return value
(http://php.net/file_put_contents), you'll see that false is returned on
failure.
In this case, a warning makes more sense than throwing an exception anyway. A
warning can be ignored, either by changing the error_reporting level or using
the error control operator, whereas an exception must be dealt with or
execution halts.
---
Simon Welsh
Admin of http://simon.geek.nz/
--- End Message ---
--- Begin Message ---
On Sat, Aug 20, 2011 at 1:23 AM, Simon J Welsh <[email protected]> wrote:
> On 20/08/2011, at 4:51 PM, Andreas wrote:
>
> > Hi,
> > I wrote stuff with file_put_contents() in a try{} catch{} and it worked.
> >
> > Then I'd like to check what happens when some error occurs so I
> writeprotected the targetfile.
> > Instead of getting my own message by the catch{} block I got a standard
> warning in the browser.
> >
> > Can't I catch those warnings, too?
> > And why does this function rise a warning when it can't acomplish it's
> task?
> >
> >
> > Samplecode:
> > try {
> > $msg = date ("d.m.Y H:i:s") . 'This should be stored in the
> file.';
> > file_put_contents( '/tmp/exceptions.txt', $msg . "\n",
> FILE_APPEND);
> > }
> > catch ( Exception $e ) {
> > $msg = "Exception " . $e->getCode() . " / " . $e->getMessage();
> > echo "<p>$msg</p>";
> > }
>
> file_put_contents() doesn't throw exceptions. As the note on the exception
> documentation says: "Internal PHP functions mainly use Error reporting, only
> modern Object oriented extensions use exceptions."
>
> If you look at the documentation for its return value (
> http://php.net/file_put_contents), you'll see that false is returned on
> failure.
>
> In this case, a warning makes more sense than throwing an exception anyway.
> A warning can be ignored, either by changing the error_reporting level or
> using the error control operator, whereas an exception must be dealt with or
> execution halts.
> ---
> Simon Welsh
> Admin of http://simon.geek.nz/
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Simon explains the rationale and heritage well.
If, however, you still wish to catch errors as exceptions, you can do so
with code like that below:
function error_handler($errno, $errstr, $errfile, $errline)
{
// must take into account error suppressor (@) and not do anything with them
(they equal 0)
// http://framework.zend.com/issues/browse/ZF-3829
// check against current error_reporting bitmasks
if (!(\error_reporting() & $errno)) {
return true;
} else {
$error_msg = "<dl><dt>Error Type (see
http://www.php.net/manual/en/errorfunc.constants.php):</dt><dd>$errno</dd><dt>Error
Message:</dt><dd>$errstr</dd><dt>File:</dt><dd>$errfile</dd><dt>Line:</dt><dd>$errline</dd></dl>";
throw new \Exception($error_msg);
}
}
set_error_handler('error_handler');
I just pulled some quick code from my web framework.
Adam
--
Nephtali: A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
On Thu, Aug 18, 2011 at 23:34, Andreas <[email protected]> wrote:
> Hi,
>
> Netbeans 7.0.1 on WinXP.
>
> I can't create new projects with Netbeans without being logged in as
> administrator.
> When I call file->new project I only get the category "Samples".
> The category "PHP" with the empty projects only appears when I'm logged in
> as Administrator.
>
> How can I create projects as normal user?
Though you're using PHP, this is a NetBeans question, not a PHP
question. Please ask via one of their support channels.
--
</Daniel P. Brown>
Network Infrastructure Manager
http://www.php.net/
--- End Message ---
