php-general Digest 6 Dec 2011 04:10:59 -0000 Issue 7598
Topics (messages 315931 through 315934):
Re: Common way to store db-password of open session?
315931 by: Andreas
315932 by: Stuart Dallas
315933 by: Ashley Sheridan
Re: yaf modules and plugins
315934 by: Laruence
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Am 03.12.2011 23:54, schrieb Tamara Temple:
If you give every application user a unique set of database access
permissions, that means that any one of those users can access your
data base WITHOUT going through your application if they manage to get
access to your data base server. Is that clearer? Your application's
users should not be able to access the data base directly. The
application should be the thing to manage the data base. You may want
to have different data base credentials for different user *roles*
(plain, privileged, admin roles, etc), but to give *every* application
individual data base unique credentials is not only unnecessary, but
also a security risk.
OK, then where or how is the most advisable place to store the
application's credentials.
One way is to have it as constants in an seperate php-file somewhere
within the doc-root so php can easily access it as include.
An application that is to be put on an outside hoster's server has to do
it like this, I guess.
Mine will stay on a server within the LAN for now, so I've got root access.
This way the web-server could display it in the probaply unlikely case
someone guesses the url to it AND the php-interpreter fails to process
it first.
More likely a local user could read it, though.
So how would I store it and restrict access to it?
--- End Message ---
--- Begin Message ---
On 4 Dec 2011, at 16:59, Andreas wrote:
> Am 03.12.2011 23:54, schrieb Tamara Temple:
>> If you give every application user a unique set of database access
>> permissions, that means that any one of those users can access your data
>> base WITHOUT going through your application if they manage to get access to
>> your data base server. Is that clearer? Your application's users should not
>> be able to access the data base directly. The application should be the
>> thing to manage the data base. You may want to have different data base
>> credentials for different user *roles* (plain, privileged, admin roles,
>> etc), but to give *every* application individual data base unique
>> credentials is not only unnecessary, but also a security risk.
>
> OK, then where or how is the most advisable place to store the application's
> credentials.
>
> One way is to have it as constants in an seperate php-file somewhere within
> the doc-root so php can easily access it as include.
> An application that is to be put on an outside hoster's server has to do it
> like this, I guess.
> Mine will stay on a server within the LAN for now, so I've got root access.
>
> This way the web-server could display it in the probaply unlikely case
> someone guesses the url to it AND the php-interpreter fails to process it
> first.
>
> More likely a local user could read it, though.
>
> So how would I store it and restrict access to it?
Put it outside the document root so it can't be accessed directly. The only
chance of it being displayed to a user then is via a really bad
mis-configuration of the web server, or an error in the code, neither of which
you can reasonably be expected to protect against (outside of effective
testing).
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--- End Message ---
--- Begin Message ---
On Sun, 2011-12-04 at 17:59 +0100, Andreas wrote:
> Am 03.12.2011 23:54, schrieb Tamara Temple:
> > If you give every application user a unique set of database access
> > permissions, that means that any one of those users can access your
> > data base WITHOUT going through your application if they manage to get
> > access to your data base server. Is that clearer? Your application's
> > users should not be able to access the data base directly. The
> > application should be the thing to manage the data base. You may want
> > to have different data base credentials for different user *roles*
> > (plain, privileged, admin roles, etc), but to give *every* application
> > individual data base unique credentials is not only unnecessary, but
> > also a security risk.
>
> OK, then where or how is the most advisable place to store the
> application's credentials.
>
> One way is to have it as constants in an seperate php-file somewhere
> within the doc-root so php can easily access it as include.
> An application that is to be put on an outside hoster's server has to do
> it like this, I guess.
> Mine will stay on a server within the LAN for now, so I've got root access.
>
> This way the web-server could display it in the probaply unlikely case
> someone guesses the url to it AND the php-interpreter fails to process
> it first.
>
> More likely a local user could read it, though.
>
> So how would I store it and restrict access to it?
>
No, you put the credentials in a file /outside/ of the document root so
that it cannot be accessed by someone randomly guessing the URL. As long
as the user that the server runs as (usually something like apache or
wwwrun) has read access to the file, you should be able to include it
with a PHP script but other users won't be able to assuming that you set
the permissions 700 on it, for example. I'd avoid putting this file on
another server entirely though, as that opens up a whole new set of
potential problems.
--
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
Hi:
a database should be a model, module is another concept. :)
pls refer to : http://www.php.net/manual/en/class.yaf-loader.php
sorry for dealy :)
thanks
2011/12/1 Moldován Eduárd <e...@boxed.hu>
> Hey Laruence,
>
> I have another more questions.
> Modules and plugins. How do they work, how are they loaded?
> In my current php framework database is a module, cache also. There are no
> plugins there.
>
> Thx in advance,
> edi
> *Moldován Eduárd*
> boxed.hu
> e...@boxed.hu
> +36 30 691 2 691
> skype: edimoldovan
>
>
>
--
Laruence Xinchen Hui
http://www.laruence.com/
--- End Message ---
