Re: [PHP] MySQL password file
On Monday 18 July 2005 18:53, Lawrence Kennon wrote:
In my current hosting situation I don't have the ability to store my
file that contains MySQL userids/passwords in a subdirectory that is
not under the server root. In order to protect it from being included
from a foreign host I thought up this scheme of using the php_uname
function to check that it is running on the correct host. Does this
look reasonably secure? I am not hosting any kind of store, or terribly
sensitive data - it will only be a bulletin board.
If by foreign host you mean a remote (ie over the network) host then
there is nothing for you to worry about (if your webserver is configured
correctly -- see below). When using include() on a remote file you are
only including the output of that file AFTER it has been processed by
php. Thus in the case of the example below where you're only defining a
bunch of constants there is no output and thus nothing to include.
define ('DB_USER', 'username');
define ('DB_PASSWORD', 'password');
define ('DB_HOST', 'localhost');
define ('DB_NAME', 'dbname');
**Beware** if you're using a non-standard filename extension for your
include files, eg .inc, and have not configured your webserver to process
these using php then then it *is* possible to include and use these
remotely. You can easily check this by entering the URL of the include
file into a browser and then view source, what you see is what will be
included by a foreign host.
What you should be more concerned about if you're on a shared host is that
there is a good possibility that your co-hosts are able to access your
files anyway.
--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design Hosting * Internet Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
New Year Resolution: Ignore top posted posts
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL password file
In my current hosting situation I don't have the ability to store my file
that contains MySQL userids/passwords in a subdirectory that is not under
the server root. In order to protect it from being included from a foreign
host I thought up this scheme of using the php_uname function to check that
it is running on the correct host. Does this look reasonably secure? I am
not hosting any kind of store, or terribly sensitive data - it will only be
a bulletin board.
This is the format of my datadef.php file which will be included in my php
scripts that access the MySQL database.
?php
$host = php_uname('n');
if (($host == 'devhost') || ($host == 'prodhost'))
{
define ('DB_USER', 'username');
define ('DB_PASSWORD', 'password');
define ('DB_HOST', 'localhost');
define ('DB_NAME', 'dbname');
}
else
{
exit();
}
?
Thanks for your comments,
Lawrence Kennon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL Password Function
Hi, I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Hi,
it's very simple intead of using
insert into users set userPassword='123'; you say
insert into users set userPassword=password('123');
Shaun wrote:
Hi,
I am trying to make my site more secure, can anyone suggest a tutorial on
using the mySQL password function with PHP. I can't find anything through
google...
Thanks for your help
--
Raditha Dissanayake.
http://www.radinks.com/sftp/ | http://www.raditha/megaupload/
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 150 KB | with progress bar.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
From: Raditha Dissanayake [EMAIL PROTECTED]
From: Shaun
I am trying to make my site more secure, can anyone suggest a tutorial on
using the mySQL password function with PHP. I can't find anything through
google...
it's very simple intead of using
insert into users set userPassword='123'; you say
insert into users set userPassword=password('123');
And the column type should be CHAR(16) or VARCHAR(16), as the result of
PASSWORD() is always 16 characters.
Oh, and this will do almost NOTHING to make your site more secure. Why do
you think it will?
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Hi, Oh, and this will do almost NOTHING to make your site more secure. Why do you think it will? ---John Holmes... You are partly right about this we had a nice flame war about this very issue couple of weeks ago on the jabber lists. Anyone interested in the nitty gritty can google on the jabber archives. I still use the password() function whenever i can cause i only have to type in about 10 keystrokes anyhow, the reason is that it will keep other users of the database from accidentaly seeing passwords that they shouldn't. Since this is one way hashes it cannot be decoded. Almost any argument that applies for/against /etc/password would apply to mysql password() as well. -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
From: Raditha Dissanayake [EMAIL PROTECTED] Oh, and this will do almost NOTHING to make your site more secure. Why do you think it will? You are partly right about this we had a nice flame war about this very issue couple of weeks ago on the jabber lists. Anyone interested in the nitty gritty can google on the jabber archives. I still use the password() function whenever i can cause i only have to type in about 10 keystrokes anyhow, the reason is that it will keep other users of the database from accidentaly seeing passwords that they shouldn't. Since this is one way hashes it cannot be decoded. Almost any argument that applies for/against /etc/password would apply to mysql password() as well. True, true. I actually use MD5() for the same reason, but, really, if someone has access to the database to read the hashes, odds are they have access to the rest of the database and your code. So what are you protecting really? In my eyes, it's just another tool to keep honest people honest... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Shaun wrote:
Hi,
I am trying to make my site more secure, can anyone suggest a tutorial on
using the mySQL password function with PHP. I can't find anything through
google...
Thanks for your help
Not that this would make your site more secure (well, I guess it would
be more secure than plain text), but just use it in your query
INSERT INTO someDB.someTable ( username, password ) VALUES (
'{$username}', PASSWORD('{$password}');
--
By-Tor.com
It's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
John Nichel [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Shaun wrote:
Hi,
I am trying to make my site more secure, can anyone suggest a tutorial
on
using the mySQL password function with PHP. I can't find anything
through
google...
Thanks for your help
Not that this would make your site more secure (well, I guess it would
be more secure than plain text), but just use it in your query
INSERT INTO someDB.someTable ( username, password ) VALUES (
'{$username}', PASSWORD('{$password}');
--
By-Tor.com
It's all about the Rush
http://www.by-tor.com
Thank you for your replies,
can i just confirm that the user uses the encrypted version of the password
or the originally inserted version to login?
Thanks for your help
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Shaun wrote:
John Nichel [EMAIL PROTECTED] wrote in message
snip
Not that this would make your site more secure (well, I guess it would
be more secure than plain text), but just use it in your query
INSERT INTO someDB.someTable ( username, password ) VALUES (
'{$username}', PASSWORD('{$password}');
--
By-Tor.com
It's all about the Rush
http://www.by-tor.com
Thank you for your replies,
can i just confirm that the user uses the encrypted version of the password
or the originally inserted version to login?
Thanks for your help
Yes, you can. But by the time it has reached the MySQL server, it has
passed from the client to your server via plain text, and to my
understanding (I may be wrong here), MySQL's built in password function
isn't all that secure. For better security, I would suggest a
combination of https and md5, or write a custom encryption function.
--
By-Tor.com
It's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
On Thu, 6 Nov 2003 09:09:57 -0500, you wrote: True, true. I actually use MD5() for the same reason, but, really, if someone has access to the database to read the hashes, odds are they have access to the rest of the database and your code. So what are you protecting really? Many people use the same password over multiple sites. A database/OS bug could expose the user table without exposing the rest of the machine. If you have the plaintext password you can impersonate the user and modify data. I would be /very/ uncomfortable if I found that a site I use for anything meaningful stored passwords as plaintext. If nothing else, it's a litmus test of how seriously they take security. (agree about using md5() (sha1() is even better) not password(), though - nobody should be using password(), as the manual points out: http://www.mysql.com/doc/en/Miscellaneous_functions.html) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mysql password function
hi,
i want to encode a string that users enter with mysql password function. but
sometimes this code works sometimes don't. mysql warns me:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in
the code is:
$result=mysql_query(select password(.$_POST['password'].));
while ($p = mysql_fetch_array($result, MYSQL_ASSOC)):
$pswrd=$p['password('.$_POST['password'].')'];
endwhile;
thanks...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] mysql password function
Use this:
$result = mysql_query(SELECT PASSWORD( . $_POST['password'] . ));
$password = mysql_result($result,0);
or just use mysql_fetch_row() or AS in your query so you don't have to
recreate that complex column name.
---John Holmes...
-Original Message-
From: Murat Ö. [mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 22, 2002 9:33 AM
To: [EMAIL PROTECTED]
Subject: [PHP] mysql password function
hi,
i want to encode a string that users enter with mysql password
function.
but
sometimes this code works sometimes don't. mysql warns me:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL
result
resource in
the code is:
$result=mysql_query(select password(.$_POST['password'].));
while ($p = mysql_fetch_array($result, MYSQL_ASSOC)):
$pswrd=$p['password('.$_POST['password'].')'];
endwhile;
thanks...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL PASSWORD() Question
If I insert a row's field's value using the PASSWORD() function, will I need to use it or another function to find that row using the same field? - [EMAIL PROTECTED] http://www.cool-palace.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL password()
Hi all,
I do this:
dbconnect();
$query=SELECT * FROM users where username='$PHP_AUTH_USER';
$result=mysql_query($query);
$list=mysql_fetch_array($result);
if ($PHP_AUTH_PW !== $list[passwd] || == $PHP_AUTH_PW || all !=
$list[domain]){
Header(WWW-authenticate: basic realm=\EMM\);
Header( HTTP/1.0 401 Unauthorized);
unauthorized();
exit;
}
}
Noe this bit:
if ($PHP_AUTH_PW !== $list[passwd]
My problem is that the password stored in MySQL was done with password(), so
it comes out similar to this as plain text:
072g307j9236a82h3u
How do I Un password() it?
I have RTFM but to no avail.
If you tell me to RTFM again, at least tell me what to search for ;-)
Cheers,
Liam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL password()
Mmm.. think you misinterpreted my question...
http://www.mysql.com/doc/M/i/Miscellaneous_functions.html
PASSWORD(str)
how do you unPASSWORD(str) in PHP?
- Original Message -
From: Negrea Mihai [EMAIL PROTECTED]
To: Liam MacKenzie [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, July 30, 2002 4:31 PM
Subject: Re: [PHP] MySQL password()
Try doing on the first time this:
$query=SELECT * FROM users where username='$PHP_AUTH_USER' and passwd
=password($PHP_AUTH_PW);
then with mysql_num_rows you find out if the query returned any row.. or
with
is_resource()
if it returned then the authentication was successfull.. if not.. not :)
On Tuesday 30 July 2002 09:28 am, Liam MacKenzie wrote:
Hi all,
I do this:
dbconnect();
$query=SELECT * FROM users where username='$PHP_AUTH_USER';
$result=mysql_query($query);
$list=mysql_fetch_array($result);
if ($PHP_AUTH_PW !== $list[passwd] || == $PHP_AUTH_PW || all !=
$list[domain]){
Header(WWW-authenticate: basic realm=\EMM\);
Header( HTTP/1.0 401 Unauthorized);
unauthorized();
exit;
}
}
Noe this bit:
if ($PHP_AUTH_PW !== $list[passwd]
My problem is that the password stored in MySQL was done with
password(),
so it comes out similar to this as plain text:
072g307j9236a82h3u
How do I Un password() it?
I have RTFM but to no avail.
If you tell me to RTFM again, at least tell me what to search for ;-)
Cheers,
Liam
--
Negrea Mihai
web: http://www.negrea.net
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MySQL password()
Mmm.. think you misinterpreted my question... http://www.mysql.com/doc/M/i/Miscellaneous_functions.html PASSWORD(str) how do you unPASSWORD(str) in PHP? Basically, you don't. Instead, what you do is use the password that was provided as user input. You create a suitable database query where one of the select criteria is PASSWORD(user_input_password) - then if you get a match they must have entered the right password. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MYSQL Password
from the shell, you can use the mysql program ./mysql -uUser -pPass dbname from PHP, why dont you just use: mysql_connect(...); it seems that you might be confused about mysql, trying to access it via PHP from the unix shell. if you want to set a unix shell enviornment variable and access it from PHP, you can do this, but i dont know how ;) becuase i've never had to do it. beware of any security risks that this might open you up for... storing passwords as env. vars -Original Message- From: Jack Sasportas [mailto:[EMAIL PROTECTED]] Subject: Re: [PHP] MYSQL Password pass the parameter -p and it will ask you for the password Andreas Pucko wrote: Hello, I am trying to get mysql running and connect via php to it. how can I set the password in a unixshell to get access to it? When I try to access the db I get: Warning: MySQL Connection Failed: Access denied for user: 'root@localhost' (Using password: NO) in /psr/mysqladmin/lib.inc.php on line 255 Error Andy suggestions? Cheers Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] MYSQL Password
Hello, I am trying to get mysql running and connect via php to it. how can I set the password in a unixshell to get access to it? When I try to access the db I get: Warning: MySQL Connection Failed: Access denied for user: 'root@localhost' (Using password: NO) in /psr/mysqladmin/lib.inc.php on line 255 Error Andy suggestions? Cheers Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MYSQL Password
pass the parameter -p and it will ask you for the password Andreas Pucko wrote: Hello, I am trying to get mysql running and connect via php to it. how can I set the password in a unixshell to get access to it? When I try to access the db I get: Warning: MySQL Connection Failed: Access denied for user: 'root@localhost' (Using password: NO) in /psr/mysqladmin/lib.inc.php on line 255 Error Andy suggestions? Cheers Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- ___ Jack Sasportas Innovative Internet Solutions Phone 305.665.2500 Fax 305.665.2551 www.innovativeinternet.com www.web56.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MYSQL Password
Can you connect to MySQL manually? If so, then you should be able to connect with PHP's mysql_connect($username,$password,$host); __John Monfort_ _+---+_ P E P I E D E S I G N S www.pepiedesigns.com The world is waiting, are you ready? -+___+- On Thu, 17 May 2001, Andreas Pucko wrote: Hello, I am trying to get mysql running and connect via php to it. how can I set the password in a unixshell to get access to it? When I try to access the db I get: Warning: MySQL Connection Failed: Access denied for user: 'root@localhost' (Using password: NO) in /psr/mysqladmin/lib.inc.php on line 255 Error Andy suggestions? Cheers Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] PHP MySQL password
I know that ~.my.cnf with
[client]
password={mypass}
is the recommended method of securing your MySQL password when using a
shell command line to access MySQL.
But what is the recommended method for MySQL password security via
PHP? Is there some way to make it use the ~.my.cnf file?
It seems to me that if you hardcode a MySQL password into your PHP
source code, it could become exposed inadvertently.
Egan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
