RE: [PHP-DB] [PHP] PHP and MYSQL Security`
What I do, because I am using a test platform is to put the line with pconnect() in a small text file, place this file somewhere on the disk, outside of the web site root and refer to that file with include() in my code. This way, even if the PHP source code were compromised, the user name and password used to access the DB cannot be seen. Subject: Re: [PHP] PHP and MYSQL Security` From: Fred [EMAIL PROTECTED] Date: Sun, 27 Jan 2002 16:59:31 -0800 To: [EMAIL PROTECTED], [EMAIL PROTECTED] If this file has a .php extension remote users will not have access to the variables because the file is parsed by php and they never see the actual file contents when requesting the document via the web. If you are concerned with users on localhost having access to the file, simply give it the correct permissions so that no one else has read access. If you are concerned about web users having access, if, for example, the php parser crashed and apache tried to pass the file through without parsing, you can put the default server, user and pass variables in the php.ini file which is not in the document root for apache. Of course, this only works if all of your scripts use the same server, user and password. Fred Duky Yuen [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... How can I secure my username and password? In 1 of my files, it contains the following: $conn = mysql_connect( 12.34.56.78, username, password); mysql_select_db(database,$conn); What should I do, so people can't get this information? Duky -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] [PHP] PHP and MYSQL Security`
I've figured out a fairly secure program structure. Here's one option (I'm sure there's as many ways to accomplish similar security as there are people on this list): First, a little info about the environment. It's a Linux OS running Apache Web Server. Multi-user environment providing hosting to multiple domains. Development is done on Windows boxes. Now, to accomplish security and keep it relatively well hidden took some doing. First, I use what I call 'control files'. These are the only files in the Web accessible directory tree (i.e. www.interkan.net/News/index.phtml). These files contain only code to process submitted commands (or default ones should no command be submitted) and include the proper files (config module which is where the mySQL access info is stored, global code libraries, and the actual code modules to handle submitted data). The included modules are all kept in a PHP include directory in the appropriate user directory (i.e. /home/user/php-inc/app-name). Due to restrictions, we have to have the files themselves with 644 permissions (so the Web server can read them), but the directory permissions for php-inc and php-inc/app-name are set to 711. The permissions work out that no one can read the files unless they (1) know the exact path and filename and (2) have shell access to the server (the only people that have that are employees). This helps in a couple ways. If the PHP process ever dies, all someone will see when going a PHP file is the file comment block, the file include information (not necessarily good, but they'd have to get into the server with a shell account first), and some if and switch statements. It also narrows down any security breaches to someone who had access to the system, instead of the entire Internet community. __ Peter Adams[EMAIL PROTECTED] Web Developer http://www.interkan.net InterKan.Net, Inc. (785) 565-0991 -Original Message- From: Duky Yuen [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 27, 2002 6:38 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [PHP-DB] [PHP] PHP and MYSQL Security` How can I secure my username and password? In 1 of my files, it contains the following: $conn = mysql_connect( 12.34.56.78, username, password); mysql_select_db(database,$conn); What should I do, so people can't get this information? Duky -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] [PHP] PHP and MYSQL Security`
The actual content of the .php files won't be seen from the net since it is server side scripting language.. But if you are still concerned you can put database connection info into another file (preferably .php file) and place it somewhere outside your web directory and access it thru require() or include() functions inside your actual web page. But if your concern is for local users' access to those file , just set your file/directory permissions accordingly. Gurhan -Original Message- From: Duky Yuen [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 27, 2002 7:38 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [PHP-DB] [PHP] PHP and MYSQL Security` How can I secure my username and password? In 1 of my files, it contains the following: $conn = mysql_connect( 12.34.56.78, username, password); mysql_select_db(database,$conn); What should I do, so people can't get this information? Duky -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
