Re: [PHP-DB] MySQL password protection?
Make the include file (or wherever your page with the pass is) encrypted, see ioncube.com they charge by the amount of code you incrypt, for a simple database include file, I think it would be $1 or less. On Wed, 2002-11-06 at 16:04, William Trappeniers wrote: Hi all I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? Thanks, William --- William Trappeniers mail at: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MySQL password protection?
I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? You can't, unless you want to put it in php.ini or a my.conf file... ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MySQL password protection?
actually you can make a .php file with your connection info, include it in your .php files at the top and encrypt that one file (they don't need to see it anyway). use a php encoder for the file with your login info in it. -Original Message- From: 1LT John W. Holmes [mailto:holmes072000;charter.net] Sent: Wednesday, November 06, 2002 4:16 PM To: William Trappeniers; [EMAIL PROTECTED] Subject: Re: [PHP-DB] MySQL password protection? I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? You can't, unless you want to put it in php.ini or a my.conf file... ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MySQL password protection?
You could put it anywhere. Stick it in a text file somewhere, fopen() and read the file for the password. Or keep it in a php script outside of the web root if that's the issue, then just include() it when you need to. Of course any file you put it in will have to be readable by whatever user the webserver is running as. -Steve On Wednesday, November 6, 2002, at 04:16 PM, 1LT John W. Holmes wrote: I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? You can't, unless you want to put it in php.ini or a my.conf file... ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MySQL password protection?
Are you sure you can include an encoded file into a non-encoded one? I had forgotten about this option, but if you can find a worthwhile compiler/encoder/etc, then that's a solution. ---John Holmes... - Original Message - From: SELPH,JASON (HP-Richardson,ex1) [EMAIL PROTECTED] To: '1LT John W. Holmes' [EMAIL PROTECTED]; William Trappeniers [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 06, 2002 5:30 PM Subject: RE: [PHP-DB] MySQL password protection? actually you can make a .php file with your connection info, include it in your .php files at the top and encrypt that one file (they don't need to see it anyway). use a php encoder for the file with your login info in it. -Original Message- From: 1LT John W. Holmes [mailto:holmes072000;charter.net] Sent: Wednesday, November 06, 2002 4:16 PM To: William Trappeniers; [EMAIL PROTECTED] Subject: Re: [PHP-DB] MySQL password protection? I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? You can't, unless you want to put it in php.ini or a my.conf file... ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MySQL password protection?
Make sure that the encoder you use actually makes string unreadable. Otherwise, you can use a simple trick, like for example XORing the whole string with FF or something similar. -- php|architect - The magazine for PHP Professionals The first monthly worldwide magazine dedicated to PHP programmer Come visit us at http://www.phparch.com! ---BeginMessage--- actually you can make a .php file with your connection info, include it in your .php files at the top and encrypt that one file (they don't need to see it anyway). use a php encoder for the file with your login info in it. -Original Message- From: 1LT John W. Holmes [mailto:holmes072000;charter.net] Sent: Wednesday, November 06, 2002 4:16 PM To: William Trappeniers; [EMAIL PROTECTED] Subject: Re: [PHP-DB] MySQL password protection? I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? You can't, unless you want to put it in php.ini or a my.conf file... ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MySQL password protection?
And make sure you make sure the webserver will not SERVE that file!!! You see the source, see that you are fopening the file, I'll find it on your system and get it from the web server and I have your password! Make sure the file is NOT in the document root that the web server serves from. You could also just use the file .htpasswd, usually by default web servers will NOT serve any file named that. However, much safer to put it somewhere that the web server cannot see (but your PHP script can). Also, this is just as insecure as the other way to any person with a login on the box your PHP script is in. Usually the script is owned by nobody:nobody or read-write all, in which case all local users can get your password. The nobody method at least keeps no password. Peter On Wed, 6 Nov 2002, Steve Cayford wrote: You could put it anywhere. Stick it in a text file somewhere, fopen() and read the file for the password. Or keep it in a php script outside of the web root if that's the issue, then just include() it when you need to. Of course any file you put it in will have to be readable by whatever user the webserver is running as. -Steve On Wednesday, November 6, 2002, at 04:16 PM, 1LT John W. Holmes wrote: I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? You can't, unless you want to put it in php.ini or a my.conf file... ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MySQL password protection?
The standard apache install filters anything named .ht*. on the web tree. -- Josh -Original Message- From: Peter Beckman [mailto:beckman;purplecow.com] Sent: Wednesday, November 06, 2002 6:44 PM To: Steve Cayford Cc: [EMAIL PROTECTED]; William Trappeniers Subject: Re: [PHP-DB] MySQL password protection? And make sure you make sure the webserver will not SERVE that file!!! You see the source, see that you are fopening the file, I'll find it on your system and get it from the web server and I have your password! Make sure the file is NOT in the document root that the web server serves from. You could also just use the file .htpasswd, usually by default web servers will NOT serve any file named that. However, much safer to put it somewhere that the web server cannot see (but your PHP script can). Also, this is just as insecure as the other way to any person with a login on the box your PHP script is in. Usually the script is owned by nobody:nobody or read-write all, in which case all local users can get your password. The nobody method at least keeps no password. Peter On Wed, 6 Nov 2002, Steve Cayford wrote: You could put it anywhere. Stick it in a text file somewhere, fopen() and read the file for the password. Or keep it in a php script outside of the web root if that's the issue, then just include() it when you need to. Of course any file you put it in will have to be readable by whatever user the webserver is running as. -Steve On Wednesday, November 6, 2002, at 04:16 PM, 1LT John W. Holmes wrote: I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? You can't, unless you want to put it in php.ini or a my.conf file... ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MySQL password protection?
Also, you can limit access to a specific table in a specific database for a specific user, if it makes sense in your application. -- Josh -Original Message- From: Peter Beckman [mailto:beckman;purplecow.com] Sent: Wednesday, November 06, 2002 6:41 PM To: William Trappeniers Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] MySQL password protection? Create a user nobody with no password and give that user select, update, delete and insert capabilities in your DB and can only connect from localhost (or a certain host). This way they have to be on localhost in order to gain access to your tables, and only then be able to do what your nobody user can do. Then you need to make sure nobody can gain access to localhost without express permission (i.e. plug all security holes). Why are you showing people your source-code that has your password in it? Peter On Wed, 6 Nov 2002, William Trappeniers wrote: Hi all I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? Thanks, William --- William Trappeniers mail at: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MySQL password protection?
One thing I do with Postgres that I'm not sure MySQL supports is Kerberos5 authentication. This way, a user logs in (and they have a user account on the DB) and I use their remote user name and their Kerberos ticket to authenticate them to the DB. That works without having to store a password anywhere on the filesystem. --Dave William Trappeniers wrote: Hi all I was wondering if it is possible to protect my password to the MySQL-server from being in a PHP-script. Now I can't do that, so everybody who gets to see my php-sourcecode also can see my (not protected/not encrypted) password. How can I change this? Thanks, William --- William Trappeniers mail at: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php