On Aug 19, 2011, at 7:52 PM, DealTek wrote:


NEWBIE: I have a security question:

When working with PHP and MySQL, it seems that a one method is to create a connection.php page to the database that will store the connection parameters such as username, password and URL ip in clear text and include this on various pages.

Since hackers seem to be getting better and better every day:

- Is this common practice to store this security data in the clear on the PHP webpage?

- Wouldn't it be possible for a hacker to SNIFF around and pick up this sensitive "clear text" security data?

- Is there some better, more secure way to communicate from the website to the MySQL data source that is somehow sending encrypted information rather than clear text back and forth?

Thanks in advance for your help.

If your web server and MySQL server are running on the same host, make sure your db user only has access via localhost.

If your web server running php is on a different host from your MySQL server, set the host access for that db user to only allow access from the web server host. If you are running MySQL 5, you can secure the connection using SSL to ensure that a sniffer will have a much more difficult time stealing your credentials. Another way is to set up an SSH tunnel.

A couple other things:

* generally, it is considered a good practice to store access credentials used by a php application *outside* the web server's visibility.

* include the php script in whatever other main scripts your application has, and make it readable only to the web server user/group.

* if anything else, make sure the file has the extension .php and the credentials are inside the php code space so it can't be downloaded directly by a web user.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to