RE: [PHP] web site security: how to hide login info for mysql-connection
On Mon, 30 Jun 2003, Peter Janett wrote: This issue seems to be a huge issue, and I've been looking for a good solution for quite a long time. My concern is that a shell emulating PHP or Perl script run as Apache can read or copy ANY PHP script used with PHP as an Apache module. The reason I use php_value settings in Apache configuration files is to get round these problems. Provided these configuration files are only able to be read by Apache when starting up (running as root, binding to port 80, opening log files etc) no users' login shells, perl CGI scripts, or shell CGI scripts can read them. The only place that they are available is to PHP scripts run in the relevant directory. They cannot be seen by PHP scripts run in other virtual servers or outwith the specified directory tree. As far as I can see the only downside is that they are still held in plain text anywhere, and that Apache has to be restarted (gracefully) whenever they are changed. It does of course assume that whoever is managing the server (has root access) is trusted with the MySQL passwords. The only real doubt at the back of my mind about this is that a clever mod_perl programmer might be able to get Apache to disclose the information that should only be seen by PHP. But then, you don't go around letting just anyone install mod_perl hacks in your server do you? I'd be very grateful if anyone out there who can see any problems with my approach would let me know. Graham -- Graham Rule [EMAIL PROTECTED] Computing Services, The University of EdinburghPhone: +44 131 650 6628 Main Library, George Sq, Edinburgh EH8 9LJ Fax: +44 131 650 6547 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] web site security: how to hide login info for mysql-connection
On Mon, 7 Jul 2003 21:01:40 +0100 (BST), Graham Rule wrote: The only place that they are available is to PHP scripts run in the relevant directory. Which means that if a hacker finds a cross script hack in one of those directories (ie, if you have a security hole in one of your php scripts), then it would be possible to access mysql.default_user and mysql.default_password via ini_get()... wouldn't it? And yes, I understand you could turn on safe_mode or turn off the ini_get() function. I think the answer is that there isn't a 100% secure way to store user_id / passwords that can be reconstituted. Unfortunately, I don't know what the most secure way to do this would be. Your way MAY be the best that we can get, but it kinda give me the heebie jeebies. :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] web site security: how to hide login info for mysql-connection
That's where this thread started...
--- Wendell Brown [EMAIL PROTECTED] wrote:
On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote:
My concern is that a shell emulating PHP or
Perl script run as Apache can read or copy ANY PHP script used
with PHP as
an Apache module.
It seems to me like the safest way to handle this would be to
create a
function that opens the database (with the user_id and password
hard
coded) and returns a handle to the open db. Then put this function
into a include directory outside the document root (you might
have to
disable fopen_with_path).
function openDB() {
$MYSQL_Server = localhost;
$MYSQL_DB = db;
$MYSQL_User = user;
$MYSQL_Password = password;
// Connect to database
$dbID = mysql_connect($MYSQL_Server, $MYSQL_User,
$MYSQL_Password)
or die(Could not connect);
mysql_select_db( $MYSQL_DB )
or die(Could not select database);
return( $dbID );
}
Then call openDB() from your module
?PHP
include hidden.php;
$dbHandle = openDB();
// whatever you want to do with the db here
?
Comments??
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
=
Mark Weinstock
[EMAIL PROTECTED]
***
You can't demand something as a right unless you are willing to fight to death to
defend everyone else's right to the same thing.
***
__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] web site security: how to hide login info for mysql-connection
I played around with this, but couldn't get this to work in my httpd.conf: php_value disable_functions phpinfo Not sure why. I did discover, however, that the username and password will no show up in phpinfo UNLESS phpinfo() is called from within the directory, in our example that would be /var/www/html/mydatabase. That would mean that in order for someone to get the user/pass, they would have to write a php script into my directory. Any more thoughts? This seems very appealing to me. Thanks, Peter Janett New Media One Web Services, LLC http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 -Original Message- From: Derick Rethans [mailto:[EMAIL PROTECTED] Sent: Monday, June 30, 2003 2:59 PM To: Wendell Brown Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] web site security: how to hide login info for mysql-connection On Mon, 30 Jun 2003, Wendell Brown wrote: On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote: Directory /var/www/html/mydatabase php_value mysql.default_user fred php_value mysql.default_password secret php_value mysql.default_host server.example.com /Directory H what about phpinfo()? It shows those settings in the clear. php_value disable_functions phpinfo Derick -- Interpreting what the GPL actually means is a job best left to those that read the future by examining animal entrails. - Derick Rethans http://derickrethans.nl/ International PHP Magazine http://php-mag.net/ - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] web site security: how to hide login info for mysql-connection
How do you handle storing the login info then? Do you encrypt the file and decrypt it on the fly? Where would you store the key? I'm in the process of setting up a new application, and I've always used the login info outside the webroot method but if there's something more I can do, I'd like to know... --- Jaap van Ganswijk [EMAIL PROTECTED] wrote: At 2003-06-29 17:21 +0100, Avvio - Frank wrote: basically you need to append to your include_path and you can probably create a local .htaccess file and set an include path in there (look up php_value syntax for .htaccess) otherwise start your script with a customised version of the following: ini_set(include_path,ini_get(include_path).:. /your/path/here/); then include/require as normal I think you can also use an include statement like this: include ../../php/include/file.inc; The same mechanism can also be used for data files that also shouldn't be in the WWW accessible directory tree, I think. (But I'm not an expert.) I always try to write my programs very portable and I have found that using ../application_data/file.txt isn't a problem, but using ../../xxx/application_data/file.txt is usually a problem, because you don't want to hardcode the name of the directory above the current directory (in this case 'xxx'). Sometimes however you have to go two levels up to go out of the WWW-acessable directory three. By the way, I think it's unwise to keep the MySQL login data uncoded on the Unix system, because other users or the system managers could read it. Generally these files have to be readable by Apache and therefore other users on the system can often also read them. Greetings, Jaap - Original Message - From: anders thoresson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 29, 2003 4:33 PM Subject: Re: [PHP] web site security: how to hide login info for mysql-connection Be aware that wherever you store the settings folder, your php.ini should have that path in it's include_directories setting, and the webserver must have read permissions for that file. I don't have access to php.ini on my ISP's web server. Is there a way for a user to make their own set ow include_directories? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php = Mark Weinstock [EMAIL PROTECTED] *** You can't demand something as a right unless you are willing to fight to death to defend everyone else's right to the same thing. *** __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] web site security: how to hide login info for mysql-connection
This issue seems to be a huge issue, and I've been looking for a good solution for quite a long time. My concern is that a shell emulating PHP or Perl script run as Apache can read or copy ANY PHP script used with PHP as an Apache module. I setup Apache SuExe on my server, and use it with Perl, and optionally PHP. I don't want to make CGI based PHP the default, because running PHP as a CGI slows it down a bit, but more importantly, limits a few functions. I was reading the PHP site, and found an interesting idea at http://us3.php.net/manual/en/function.mysql-connect.php in the user notes. - Another solution to the security problems of putting usernames and passwords into scripts. I haven't found this documented anywhere else so thought I'd suggest it for the online documentation. Don't put passwords for mysql into scripts which may be read by any user on the machine. Instead put them into an Apache configuration file and make sure that it is not world-readable. (Apache reads its main config files as root.) For example, add this to your httpd.conf (and chmod it to 600 or 660) then tell your apache to reload itself (apachectl graceful). Directory /var/www/html/mydatabase php_value mysql.default_user fred php_value mysql.default_password secret php_value mysql.default_host server.example.com /Directory Then all you need in your PHP code is $handle = mysql_connect() or die(mysql_error()); The passwords etc will only be picked up by scripts running in the named directory (or a sub-directory). The same may be done for virtualhosts etc. If you don't want to keep reloading your Apache server then you ay test things putting the php_value directives into a (world readable) .htaccess file. (Clearly not for production use.) If you need to debug the values that are being supplied (or not) then use this snippet: @syslog(LOG_DEBUG, Using user=.ini_get(mysql.default_user). pass=.ini_get(mysql.default_password). host=.ini_get(mysql.default_host)); (This assumes that you are not running in 'safe_mode' and that you are on a unix of some sort.) I can't think of why this wouldn't work, and it seems much more secure than just putting the PHP script with the passwords outside the web root. Has anyone done this? Any thoughts on how someone could still get the passwords with this setup? Thanks, Peter Janett New Media One Web Services, LLC http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 -Original Message- From: Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 30, 2003 8:34 AM To: Jaap van Ganswijk; [EMAIL PROTECTED] Subject: Re: [PHP] web site security: how to hide login info for mysql-connection How do you handle storing the login info then? Do you encrypt the file and decrypt it on the fly? Where would you store the key? I'm in the process of setting up a new application, and I've always used the login info outside the webroot method but if there's something more I can do, I'd like to know... --- Jaap van Ganswijk [EMAIL PROTECTED] wrote: At 2003-06-29 17:21 +0100, Avvio - Frank wrote: basically you need to append to your include_path and you can probably create a local .htaccess file and set an include path in there (look up php_value syntax for .htaccess) otherwise start your script with a customised version of the following: ini_set(include_path,ini_get(include_path).:. /your/path/here/); then include/require as normal I think you can also use an include statement like this: include ../../php/include/file.inc; The same mechanism can also be used for data files that also shouldn't be in the WWW accessible directory tree, I think. (But I'm not an expert.) I always try to write my programs very portable and I have found that using ../application_data/file.txt isn't a problem, but using ../../xxx/application_data/file.txt is usually a problem, because you don't want to hardcode the name of the directory above the current directory (in this case 'xxx'). Sometimes however you have to go two levels up to go out of the WWW-acessable directory three. By the way, I think it's unwise to keep the MySQL login data uncoded on the Unix system, because other users or the system managers could read it. Generally these files have to be readable by Apache and therefore other users on the system can often also read them. Greetings, Jaap - Original Message - From: anders thoresson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 29, 2003 4:33 PM Subject: Re: [PHP] web site security: how to hide login info for mysql-connection Be aware that wherever you store the settings folder, your php.ini should have that path in it's include_directories setting, and the webserver must have read permissions for that file. I don't have access to php.ini on my ISP's web server
RE: [PHP] web site security: how to hide login info for mysql-connection
On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote: Directory /var/www/html/mydatabase php_value mysql.default_user fred php_value mysql.default_password secret php_value mysql.default_host server.example.com /Directory H what about phpinfo()? It shows those settings in the clear. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] web site security: how to hide login info for mysql-connection
Directory /var/www/html/mydatabase php_value mysql.default_user fred php_value mysql.default_password secret php_value mysql.default_host server.example.com /Directory H what about phpinfo()? It shows those settings in the clear. solution: don't leave stray phpinfo's on a production site. :) - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] web site security: how to hide login info for mysql-connection
On Mon, 30 Jun 2003, Wendell Brown wrote: On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote: Directory /var/www/html/mydatabase php_value mysql.default_user fred php_value mysql.default_password secret php_value mysql.default_host server.example.com /Directory H what about phpinfo()? It shows those settings in the clear. php_value disable_functions phpinfo Derick -- Interpreting what the GPL actually means is a job best left to those that read the future by examining animal entrails. - Derick Rethans http://derickrethans.nl/ International PHP Magazine http://php-mag.net/ - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] web site security: how to hide login info for mysql-connection
On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote:
My concern is that a shell emulating PHP or
Perl script run as Apache can read or copy ANY PHP script used with PHP as
an Apache module.
It seems to me like the safest way to handle this would be to create a
function that opens the database (with the user_id and password hard
coded) and returns a handle to the open db. Then put this function
into a include directory outside the document root (you might have to
disable fopen_with_path).
function openDB() {
$MYSQL_Server = localhost;
$MYSQL_DB = db;
$MYSQL_User = user;
$MYSQL_Password = password;
// Connect to database
$dbID = mysql_connect($MYSQL_Server, $MYSQL_User, $MYSQL_Password)
or die(Could not connect);
mysql_select_db( $MYSQL_DB )
or die(Could not select database);
return( $dbID );
}
Then call openDB() from your module
?PHP
include hidden.php;
$dbHandle = openDB();
// whatever you want to do with the db here
?
Comments??
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] web site security: how to hide login info for mysql-connection
Be aware that wherever you store the settings folder, your php.ini should have that path in it's include_directories setting, and the webserver must have read permissions for that file. I don't have access to php.ini on my ISP's web server. Is there a way for a user to make their own set ow include_directories? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] web site security: how to hide login info for mysql-connection
basically you need to append to your include_path and you can probably create a local .htaccess file and set an include path in there (look up php_value syntax for .htaccess) otherwise start your script with a customised version of the following: ini_set(include_path,ini_get(include_path).:. /your/path/here/); then include/require as normal -- frank - Original Message - From: anders thoresson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 29, 2003 4:33 PM Subject: Re: [PHP] web site security: how to hide login info for mysql-connection Be aware that wherever you store the settings folder, your php.ini should have that path in it's include_directories setting, and the webserver must have read permissions for that file. I don't have access to php.ini on my ISP's web server. Is there a way for a user to make their own set ow include_directories? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] web site security: how to hide login info for mysql-connection
At 2003-06-29 17:21 +0100, Avvio - Frank wrote: basically you need to append to your include_path and you can probably create a local .htaccess file and set an include path in there (look up php_value syntax for .htaccess) otherwise start your script with a customised version of the following: ini_set(include_path,ini_get(include_path).:. /your/path/here/); then include/require as normal I think you can also use an include statement like this: include ../../php/include/file.inc; The same mechanism can also be used for data files that also shouldn't be in the WWW accessible directory tree, I think. (But I'm not an expert.) I always try to write my programs very portable and I have found that using ../application_data/file.txt isn't a problem, but using ../../xxx/application_data/file.txt is usually a problem, because you don't want to hardcode the name of the directory above the current directory (in this case 'xxx'). Sometimes however you have to go two levels up to go out of the WWW-acessable directory three. By the way, I think it's unwise to keep the MySQL login data uncoded on the Unix system, because other users or the system managers could read it. Generally these files have to be readable by Apache and therefore other users on the system can often also read them. Greetings, Jaap - Original Message - From: anders thoresson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 29, 2003 4:33 PM Subject: Re: [PHP] web site security: how to hide login info for mysql-connection Be aware that wherever you store the settings folder, your php.ini should have that path in it's include_directories setting, and the webserver must have read permissions for that file. I don't have access to php.ini on my ISP's web server. Is there a way for a user to make their own set ow include_directories? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
