RE: [PHP-DB] How can you hide database login passwd in yourscript?
At 6:22 PM +1000 9/5/01, speedboy wrote: $0 option: Put your user ID and password in a config file, then give only the webserver user access to it. Read the config file to make it work. This also allows easy switching between test and production environments. You can't change the group owner of a file unless you have root. That does not stop another php user fopen'ing your config file. If your creating a config file, first always include .php or .php3 as part of the name, this means that if someone tries to directly access the file using a web browser the file compiles and prints as blank. Secondly, references to the config file should be placed after the html and before the head tags so even if the page breaks the path to file is never shown to the user. Additionally, if you like and your host is set-up for it, you can store config files and other includes in the (data) folder of your website. Many ISPs offer set-ups that include an (html), (data), (scripts), and (log) folder. The benefit of using a data folder is that it is inaccessible to anyone trying to access it without root permission. Files located in the (data) folder generally must be specified using the path_to_file method ( /myISP/theirHostArea/myUserName/data/) Generally speaking, the first two methods are secure enough. If a PHP user does guess the correct path to you config file, they generally can not access it using the http://www.yoursite.com/include/config.inc.php method, since the file pre-compiles as blank or empty. This means that they would need to gain root privileges to read the file as text. The data folder provides a nice extra layer of security, pretty much insuring that the file can't be called using the http:// method at all since its outside of your web root. Alnisa -- . Alnisa Allgood Executive Director Nonprofit Tech (ph) 415.337.7412 (fx) 415.337.7927 (url) http://www.nonprofit-techworld.org (url) http://www.nonprofit-tech.org (url) http://www.tech-library.org . Nonprofit Tech E-Update mailto:[EMAIL PROTECTED] . applying technology to transform . -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] How can you hide database login passwd in yourscript?
That does not stop another php user fopen'ing your config file. This is a point that needs to be stressed. The other posts about keeping db connection info outside of the web tree and naming the files .php are good ones, but even with them, there can be major security problems on a shared virtual host, which many / most hosting providers provide. For example, a malicious user gets an account on a shared host with PHP (probably Perl, too) installed. They then do an fopen on the /etc/passwd file to see which users are on the machine and where their directories are. If shadow passwords aren't used, they also get the encrypted password. With that knowledge they can use the standard PHP directory commands like dir to get a listing of all the files in a user's home directory and then they can fopen whichever one they'd like. In these setups, the same user (nobody, www, etc.) has read access to all of these files. If it didn't, you script wouldn't work. Once a user finds a password for a mysql database, they can just: DROP database_name or DELETE FROM table_name Possible solutions: 1) Run your own server (not possible in many cases) 2) Run php in safe mode (something a hosting provider must do, will break some/many apps) 3) Make sure that your mysql users have only the necessary permissions, i.e., don't give the user insert/update/delete privs if they only need to SELECT. 4) Don't store sensitive data in databases on shared servers. 5) Backup everything from databases regularly and hope you never really need to use them. Hope that helps. Sincerely, Paul Burney ++ Paul Burney Webmaster Open Source Developer UCLA - GSEIS - ETU (310) 825-8365 [EMAIL PROTECTED] http://www.gseis.ucla.edu/ ++ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
