Re: [PHP] MySQL password file
On Monday 18 July 2005 18:53, Lawrence Kennon wrote: In my current hosting situation I don't have the ability to store my file that contains MySQL userids/passwords in a subdirectory that is not under the server root. In order to protect it from being included from a foreign host I thought up this scheme of using the php_uname function to check that it is running on the correct host. Does this look reasonably secure? I am not hosting any kind of store, or terribly sensitive data - it will only be a bulletin board. If by foreign host you mean a remote (ie over the network) host then there is nothing for you to worry about (if your webserver is configured correctly -- see below). When using include() on a remote file you are only including the output of that file AFTER it has been processed by php. Thus in the case of the example below where you're only defining a bunch of constants there is no output and thus nothing to include. define ('DB_USER', 'username'); define ('DB_PASSWORD', 'password'); define ('DB_HOST', 'localhost'); define ('DB_NAME', 'dbname'); **Beware** if you're using a non-standard filename extension for your include files, eg .inc, and have not configured your webserver to process these using php then then it *is* possible to include and use these remotely. You can easily check this by entering the URL of the include file into a browser and then view source, what you see is what will be included by a foreign host. What you should be more concerned about if you're on a shared host is that there is a good possibility that your co-hosts are able to access your files anyway. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL password file
In my current hosting situation I don't have the ability to store my file that contains MySQL userids/passwords in a subdirectory that is not under the server root. In order to protect it from being included from a foreign host I thought up this scheme of using the php_uname function to check that it is running on the correct host. Does this look reasonably secure? I am not hosting any kind of store, or terribly sensitive data - it will only be a bulletin board. This is the format of my datadef.php file which will be included in my php scripts that access the MySQL database. ?php $host = php_uname('n'); if (($host == 'devhost') || ($host == 'prodhost')) { define ('DB_USER', 'username'); define ('DB_PASSWORD', 'password'); define ('DB_HOST', 'localhost'); define ('DB_NAME', 'dbname'); } else { exit(); } ? Thanks for your comments, Lawrence Kennon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL Password Function
Hi, I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Hi, it's very simple intead of using insert into users set userPassword='123'; you say insert into users set userPassword=password('123'); Shaun wrote: Hi, I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... Thanks for your help -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
From: Raditha Dissanayake [EMAIL PROTECTED] From: Shaun I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... it's very simple intead of using insert into users set userPassword='123'; you say insert into users set userPassword=password('123'); And the column type should be CHAR(16) or VARCHAR(16), as the result of PASSWORD() is always 16 characters. Oh, and this will do almost NOTHING to make your site more secure. Why do you think it will? ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Hi, Oh, and this will do almost NOTHING to make your site more secure. Why do you think it will? ---John Holmes... You are partly right about this we had a nice flame war about this very issue couple of weeks ago on the jabber lists. Anyone interested in the nitty gritty can google on the jabber archives. I still use the password() function whenever i can cause i only have to type in about 10 keystrokes anyhow, the reason is that it will keep other users of the database from accidentaly seeing passwords that they shouldn't. Since this is one way hashes it cannot be decoded. Almost any argument that applies for/against /etc/password would apply to mysql password() as well. -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
From: Raditha Dissanayake [EMAIL PROTECTED] Oh, and this will do almost NOTHING to make your site more secure. Why do you think it will? You are partly right about this we had a nice flame war about this very issue couple of weeks ago on the jabber lists. Anyone interested in the nitty gritty can google on the jabber archives. I still use the password() function whenever i can cause i only have to type in about 10 keystrokes anyhow, the reason is that it will keep other users of the database from accidentaly seeing passwords that they shouldn't. Since this is one way hashes it cannot be decoded. Almost any argument that applies for/against /etc/password would apply to mysql password() as well. True, true. I actually use MD5() for the same reason, but, really, if someone has access to the database to read the hashes, odds are they have access to the rest of the database and your code. So what are you protecting really? In my eyes, it's just another tool to keep honest people honest... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Shaun wrote: Hi, I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... Thanks for your help Not that this would make your site more secure (well, I guess it would be more secure than plain text), but just use it in your query INSERT INTO someDB.someTable ( username, password ) VALUES ( '{$username}', PASSWORD('{$password}'); -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
John Nichel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Shaun wrote: Hi, I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... Thanks for your help Not that this would make your site more secure (well, I guess it would be more secure than plain text), but just use it in your query INSERT INTO someDB.someTable ( username, password ) VALUES ( '{$username}', PASSWORD('{$password}'); -- By-Tor.com It's all about the Rush http://www.by-tor.com Thank you for your replies, can i just confirm that the user uses the encrypted version of the password or the originally inserted version to login? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Shaun wrote: John Nichel [EMAIL PROTECTED] wrote in message snip Not that this would make your site more secure (well, I guess it would be more secure than plain text), but just use it in your query INSERT INTO someDB.someTable ( username, password ) VALUES ( '{$username}', PASSWORD('{$password}'); -- By-Tor.com It's all about the Rush http://www.by-tor.com Thank you for your replies, can i just confirm that the user uses the encrypted version of the password or the originally inserted version to login? Thanks for your help Yes, you can. But by the time it has reached the MySQL server, it has passed from the client to your server via plain text, and to my understanding (I may be wrong here), MySQL's built in password function isn't all that secure. For better security, I would suggest a combination of https and md5, or write a custom encryption function. -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
On Thu, 6 Nov 2003 09:09:57 -0500, you wrote: True, true. I actually use MD5() for the same reason, but, really, if someone has access to the database to read the hashes, odds are they have access to the rest of the database and your code. So what are you protecting really? Many people use the same password over multiple sites. A database/OS bug could expose the user table without exposing the rest of the machine. If you have the plaintext password you can impersonate the user and modify data. I would be /very/ uncomfortable if I found that a site I use for anything meaningful stored passwords as plaintext. If nothing else, it's a litmus test of how seriously they take security. (agree about using md5() (sha1() is even better) not password(), though - nobody should be using password(), as the manual points out: http://www.mysql.com/doc/en/Miscellaneous_functions.html) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mysql password function
hi, i want to encode a string that users enter with mysql password function. but sometimes this code works sometimes don't. mysql warns me: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in the code is: $result=mysql_query(select password(.$_POST['password'].)); while ($p = mysql_fetch_array($result, MYSQL_ASSOC)): $pswrd=$p['password('.$_POST['password'].')']; endwhile; thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] mysql password function
Use this: $result = mysql_query(SELECT PASSWORD( . $_POST['password'] . )); $password = mysql_result($result,0); or just use mysql_fetch_row() or AS in your query so you don't have to recreate that complex column name. ---John Holmes... -Original Message- From: Murat Ö. [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 22, 2002 9:33 AM To: [EMAIL PROTECTED] Subject: [PHP] mysql password function hi, i want to encode a string that users enter with mysql password function. but sometimes this code works sometimes don't. mysql warns me: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in the code is: $result=mysql_query(select password(.$_POST['password'].)); while ($p = mysql_fetch_array($result, MYSQL_ASSOC)): $pswrd=$p['password('.$_POST['password'].')']; endwhile; thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL PASSWORD() Question
If I insert a row's field's value using the PASSWORD() function, will I need to use it or another function to find that row using the same field? - [EMAIL PROTECTED] http://www.cool-palace.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL password()
Hi all, I do this: dbconnect(); $query=SELECT * FROM users where username='$PHP_AUTH_USER'; $result=mysql_query($query); $list=mysql_fetch_array($result); if ($PHP_AUTH_PW !== $list[passwd] || == $PHP_AUTH_PW || all != $list[domain]){ Header(WWW-authenticate: basic realm=\EMM\); Header( HTTP/1.0 401 Unauthorized); unauthorized(); exit; } } Noe this bit: if ($PHP_AUTH_PW !== $list[passwd] My problem is that the password stored in MySQL was done with password(), so it comes out similar to this as plain text: 072g307j9236a82h3u How do I Un password() it? I have RTFM but to no avail. If you tell me to RTFM again, at least tell me what to search for ;-) Cheers, Liam -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL password()
Mmm.. think you misinterpreted my question... http://www.mysql.com/doc/M/i/Miscellaneous_functions.html PASSWORD(str) how do you unPASSWORD(str) in PHP? - Original Message - From: Negrea Mihai [EMAIL PROTECTED] To: Liam MacKenzie [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, July 30, 2002 4:31 PM Subject: Re: [PHP] MySQL password() Try doing on the first time this: $query=SELECT * FROM users where username='$PHP_AUTH_USER' and passwd =password($PHP_AUTH_PW); then with mysql_num_rows you find out if the query returned any row.. or with is_resource() if it returned then the authentication was successfull.. if not.. not :) On Tuesday 30 July 2002 09:28 am, Liam MacKenzie wrote: Hi all, I do this: dbconnect(); $query=SELECT * FROM users where username='$PHP_AUTH_USER'; $result=mysql_query($query); $list=mysql_fetch_array($result); if ($PHP_AUTH_PW !== $list[passwd] || == $PHP_AUTH_PW || all != $list[domain]){ Header(WWW-authenticate: basic realm=\EMM\); Header( HTTP/1.0 401 Unauthorized); unauthorized(); exit; } } Noe this bit: if ($PHP_AUTH_PW !== $list[passwd] My problem is that the password stored in MySQL was done with password(), so it comes out similar to this as plain text: 072g307j9236a82h3u How do I Un password() it? I have RTFM but to no avail. If you tell me to RTFM again, at least tell me what to search for ;-) Cheers, Liam -- Negrea Mihai web: http://www.negrea.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MySQL password()
Mmm.. think you misinterpreted my question... http://www.mysql.com/doc/M/i/Miscellaneous_functions.html PASSWORD(str) how do you unPASSWORD(str) in PHP? Basically, you don't. Instead, what you do is use the password that was provided as user input. You create a suitable database query where one of the select criteria is PASSWORD(user_input_password) - then if you get a match they must have entered the right password. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MYSQL Password
from the shell, you can use the mysql program ./mysql -uUser -pPass dbname from PHP, why dont you just use: mysql_connect(...); it seems that you might be confused about mysql, trying to access it via PHP from the unix shell. if you want to set a unix shell enviornment variable and access it from PHP, you can do this, but i dont know how ;) becuase i've never had to do it. beware of any security risks that this might open you up for... storing passwords as env. vars -Original Message- From: Jack Sasportas [mailto:[EMAIL PROTECTED]] Subject: Re: [PHP] MYSQL Password pass the parameter -p and it will ask you for the password Andreas Pucko wrote: Hello, I am trying to get mysql running and connect via php to it. how can I set the password in a unixshell to get access to it? When I try to access the db I get: Warning: MySQL Connection Failed: Access denied for user: 'root@localhost' (Using password: NO) in /psr/mysqladmin/lib.inc.php on line 255 Error Andy suggestions? Cheers Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] MYSQL Password
Hello, I am trying to get mysql running and connect via php to it. how can I set the password in a unixshell to get access to it? When I try to access the db I get: Warning: MySQL Connection Failed: Access denied for user: 'root@localhost' (Using password: NO) in /psr/mysqladmin/lib.inc.php on line 255 Error Andy suggestions? Cheers Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MYSQL Password
pass the parameter -p and it will ask you for the password Andreas Pucko wrote: Hello, I am trying to get mysql running and connect via php to it. how can I set the password in a unixshell to get access to it? When I try to access the db I get: Warning: MySQL Connection Failed: Access denied for user: 'root@localhost' (Using password: NO) in /psr/mysqladmin/lib.inc.php on line 255 Error Andy suggestions? Cheers Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- ___ Jack Sasportas Innovative Internet Solutions Phone 305.665.2500 Fax 305.665.2551 www.innovativeinternet.com www.web56.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MYSQL Password
Can you connect to MySQL manually? If so, then you should be able to connect with PHP's mysql_connect($username,$password,$host); __John Monfort_ _+---+_ P E P I E D E S I G N S www.pepiedesigns.com The world is waiting, are you ready? -+___+- On Thu, 17 May 2001, Andreas Pucko wrote: Hello, I am trying to get mysql running and connect via php to it. how can I set the password in a unixshell to get access to it? When I try to access the db I get: Warning: MySQL Connection Failed: Access denied for user: 'root@localhost' (Using password: NO) in /psr/mysqladmin/lib.inc.php on line 255 Error Andy suggestions? Cheers Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] PHP MySQL password
I know that ~.my.cnf with [client] password={mypass} is the recommended method of securing your MySQL password when using a shell command line to access MySQL. But what is the recommended method for MySQL password security via PHP? Is there some way to make it use the ~.my.cnf file? It seems to me that if you hardcode a MySQL password into your PHP source code, it could become exposed inadvertently. Egan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]