Re: [PHP-DB] Protecting mysql database

2004-03-03 Thread Adam Voigt 
Why not just stop the database?


On Wed, 2004-03-03 at 09:41, Piet from South Africa wrote:
 Hi
 
 Is there a way that an alert or something can be generated when a mysql
 database is being accessed in any way.
 
 I want to close the whole database for a period, and nobody may access the
 database via phpadmin or anything else
 
 Appreciate your input on this one.
-- 

Adam Voigt
[EMAIL PROTECTED]

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] Protecting mysql database

2004-03-03 Thread Ricardo Lopes 
if you want to close the  whole database for a period, and that _NOBODY_
have access, just shutdown the service, and prevent it from starting the
next time you restart your operative system. :)

you could make mysql to log more than it normaly does to the logs and then
analyse the log. You can even monitor the logs and when something happend
(like a login) send an email or sms to the administrator. I dont know how to
change which information is store in the logs, look at the mysql
documentation, it have to be there.


- Original Message -
From: Piet from South Africa [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 2:41 PM
Subject: [PHP-DB] Protecting mysql database


 Hi

 Is there a way that an alert or something can be generated when a mysql
 database is being accessed in any way.

 I want to close the whole database for a period, and nobody may access the
 database via phpadmin or anything else

 Appreciate your input on this one.

 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DB] protecting

2002-02-11 Thread Beau Lebens 

you might find the library at http://www.dentedreality.com.au/jsvalidation/
useful, but you should also perform similar checks server-side using PHP
since if you are that worried about malicious use of your site, people can
easily circumvent javascript validation

// -Original Message-
// From: Mihail Bota [mailto:[EMAIL PROTECTED]]
// Sent: Tuesday, 12 February 2002 12:19 PM
// To: CrossWalkCentral
// Cc: [EMAIL PROTECTED]
// Subject: Re: [PHP-DB] protecting
// 
// 
// put some javascript validation form. if the value of the form cntains
// .jpg, etc. don't allow the user to go further.
// 
// On Mon, 11 Feb 2002, CrossWalkCentral wrote:
// 
//  How can I help protect people form modifying a form that 
// submits data to php file that stores the data in a database
//  
//  for example I have a text box that ask for a first name 
// and I am getting a lot of garbage back like if they modified 
// my form and submitted a image instead.
//  
//  I know that their is some sort of parse out their that I 
// can put in the php file that will help validate this
//  
// 
// 
// -- 
// PHP Database Mailing List (http://www.php.net/)
// To unsubscribe, visit: http://www.php.net/unsub.php
// 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DB] protecting

2002-02-11 Thread Mihail Bota 

correct!

On Tue, 12 Feb 2002, Beau Lebens wrote:

 you might find the library at http://www.dentedreality.com.au/jsvalidation/
 useful, but you should also perform similar checks server-side using PHP
 since if you are that worried about malicious use of your site, people can
 easily circumvent javascript validation
 
 // -Original Message-
 // From: Mihail Bota [mailto:[EMAIL PROTECTED]]
 // Sent: Tuesday, 12 February 2002 12:19 PM
 // To: CrossWalkCentral
 // Cc: [EMAIL PROTECTED]
 // Subject: Re: [PHP-DB] protecting
 // 
 // 
 // put some javascript validation form. if the value of the form cntains
 // .jpg, etc. don't allow the user to go further.
 // 
 // On Mon, 11 Feb 2002, CrossWalkCentral wrote:
 // 
 //  How can I help protect people form modifying a form that 
 // submits data to php file that stores the data in a database
 //  
 //  for example I have a text box that ask for a first name 
 // and I am getting a lot of garbage back like if they modified 
 // my form and submitted a image instead.
 //  
 //  I know that their is some sort of parse out their that I 
 // can put in the php file that will help validate this
 //  
 // 
 // 
 // -- 
 // PHP Database Mailing List (http://www.php.net/)
 // To unsubscribe, visit: http://www.php.net/unsub.php
 // 
 


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] Protecting php scripts from source being downloaded

2002-01-09 Thread Neil Thomson 

u can download a php page from a download manager ? i just tryed with
flashget...  it phrased the php page into html first.. ? ?

if you want to protect your say.. variables file from some1 trying in the
address of it. heres a simple way. in the variables file include
@header(status: error 404); (or how ever that code goes). then in the page u
want to include this. start the html tag first html then include this
page. the @ will make it not report errors. so u can inclue the page
perfectally..  when people try to look @ it, it will say it doesnt exist.

Neil

- Original Message -
From: Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, January 09, 2002 8:00 AM
Subject: [PHP-DB] Protecting php scripts from source being downloaded


 Hi, im kinda new to this so be kind :)

 Im using mysql and php to create test databases (guestbook etc, basic
 stuff), but it doesnt seem so secure, people can just use a download
manager
 to download the php files and steal the mysql passwords. Is there anyway
to
 make it so they can see the php files through the brower but not download
my
 homecrafted php?

 Ive looked through many websites and the history of this, all I could find
 was one post which was to encript the files (this isnt really suitable for
 me as I edit bits and bobs as I go along). Is there anyway I can setup
 access as said in the above? Or just hid the password somehow? Im using
IIS
 5.1.

 thanks
 tom



 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP-DB] Protecting php scripts from source being downloaded

2002-01-09 Thread Ryan Marrs 

Or you could do something like:

if(!empty($PHP_SELF))
{
if(stristr($PHP_SELF, config.php))
{ 
header(Status: 404 Not Found);
}
}

that's assuming you use the register_globals.  If not, then you could simply
grab $PHP_SELF from the environment variables.

Ryan


-Original Message-
From: Neil Thomson [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 09, 2002 12:31 PM
To: Tom; [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Protecting php scripts from source being downloaded

u can download a php page from a download manager ? i just tryed with
flashget...  it phrased the php page into html first.. ? ?

if you want to protect your say.. variables file from some1 trying in the
address of it. heres a simple way. in the variables file include
@header(status: error 404); (or how ever that code goes). then in the page u
want to include this. start the html tag first html then include this
page. the @ will make it not report errors. so u can inclue the page
perfectally..  when people try to look @ it, it will say it doesnt exist.

Neil

- Original Message -
From: Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, January 09, 2002 8:00 AM
Subject: [PHP-DB] Protecting php scripts from source being downloaded


 Hi, im kinda new to this so be kind :)

 Im using mysql and php to create test databases (guestbook etc, basic
 stuff), but it doesnt seem so secure, people can just use a download
manager
 to download the php files and steal the mysql passwords. Is there anyway
to
 make it so they can see the php files through the brower but not download
my
 homecrafted php?

 Ive looked through many websites and the history of this, all I could find
 was one post which was to encript the files (this isnt really suitable for
 me as I edit bits and bobs as I go along). Is there anyway I can setup
 access as said in the above? Or just hid the password somehow? Im using
IIS
 5.1.

 thanks
 tom



 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] Protecting php scripts from source being downloaded

2002-01-09 Thread Tom 

sorry, as I said Im kinda new, I was downloading the file from my webserver
to my computer, and it downloaded the php file as a php file, non parsed by
the preprocessor. But when other people download it it does only give the
source

sorry :)

Neil Thomson [EMAIL PROTECTED] wrote in message
003e01c19933$7300d220$113331d2@home">news:003e01c19933$7300d220$113331d2@home...
 u can download a php page from a download manager ? i just tryed with
 flashget...  it phrased the php page into html first.. ? ?

 if you want to protect your say.. variables file from some1 trying in the
 address of it. heres a simple way. in the variables file include
 @header(status: error 404); (or how ever that code goes). then in the page
u
 want to include this. start the html tag first html then include this
 page. the @ will make it not report errors. so u can inclue the page
 perfectally..  when people try to look @ it, it will say it doesnt exist.

 Neil

 - Original Message -
 From: Tom [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, January 09, 2002 8:00 AM
 Subject: [PHP-DB] Protecting php scripts from source being downloaded


  Hi, im kinda new to this so be kind :)
 
  Im using mysql and php to create test databases (guestbook etc, basic
  stuff), but it doesnt seem so secure, people can just use a download
 manager
  to download the php files and steal the mysql passwords. Is there anyway
 to
  make it so they can see the php files through the brower but not
download
 my
  homecrafted php?
 
  Ive looked through many websites and the history of this, all I could
find
  was one post which was to encript the files (this isnt really suitable
for
  me as I edit bits and bobs as I go along). Is there anyway I can setup
  access as said in the above? Or just hid the password somehow? Im using
 IIS
  5.1.
 
  thanks
  tom
 
 
 
  --
  PHP Database Mailing List (http://www.php.net/)
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
  To contact the list administrators, e-mail: [EMAIL PROTECTED]
 




-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP-DB] Protecting database password

2001-07-18 Thread Walter, Marcel 

On Unix it is possible to make an include file with all the settings
like $user, $passwd and so on and store it somewhere in the
filesystem (not under your htdocs-path)

So no one can access this file via web 

You can include this file with its variables with the include() - statement
...

Imagine your PHP-Engine won´t work and someone accesses a page where you
included
this file with the settings  he will never see your Password
but just the include-statement ... nothing else ...
And he won´t be able to access the file since its not in yout /htdocs - Path
...

Cheers,
Marcel

 -Original Message-
 From: Marco Draijer [SMTP:[EMAIL PROTECTED]]
 Sent: Wednesday, July 18, 2001 09:41
 To:   [EMAIL PROTECTED]
 Subject:  [PHP-DB] Protecting database password
 
 For a PHP-application on Windows NT, I am using an Oracle database and the
 
 database-interface db_oci8.inc (a PHP-class, downloaded from the net).
 To be able to make the connection to the database, the class has to know
 the
 
 databasename, username, and password. At the moment, it is hardcoded in
 the 
 include-file. This file can be downloaded by anyone who knows its exact
 name
 and 
 location (which is not hard, of course). I want to prevent this.
 I have tried some things with permissions, but I could not find a solution
 
 there.
 A known solution on Windows-platforms is, to put the names  password in
 the
 
 registry of the server, but I don't know how I can read data from the
 registry 
 in PHP.
 Another solution is to use environment variables. I know how to read them:
 the 
 documentation says that getenv() gives the environment of the client, but
 that 
 is not true, at least on NT it gives the environment of the server. But
 then
 
 again: of which user is that environment and won't it be easy to read that
 
 environment over the internet?
 Can anyone give me advice on this?
 Furthermore I will be setting up a similar construction (PHP + password 
 protected database) on a Linux machine. So I am also interested in
 Unix-only
 
 solutions.
 
 Thanks in advance,
 Marco Draijer
 
 --
 **
 **
 This message contains information that may be privileged or confidential
 and
 is the property of the Cap Gemini Ernst  Young Group. It is only intended
 for the person to whom it is addressed. If you are not the intended
 recipient, you are not authorized to read, print, retain, copy
 disseminate,
 distribute, or use this message or any part thereof. If you receive this
 message in error, please notify the sender immediately and delete all
 copies
 of this message.
 **
 **
 
 -- 
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]


If you have received this e-mail in error or wish to read our e-mail disclaimer 
statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] Protecting database password

2001-07-18 Thread Dobromir Velev 

Hi,
I suggest you use a .php file to declare your database variables and include
it everywhere you need it. Even if someone guesses the name of this file
when he tries to open it, nothing will be outputed to the screen.

an example file is

?
$dbname=name;
$dbuser=user;
$dbpass=pass;
?

Than you'll have to set the permissions of this file in a way that noone
(except you and the process that runs the php) with access to the server can
read this file.

Hope this helps
Dobromir Velev

-Original Message-
From: Marco Draijer [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Wednesday, July 18, 2001 10:42 AM
Subject: [PHP-DB] Protecting database password


For a PHP-application on Windows NT, I am using an Oracle database and the
database-interface db_oci8.inc (a PHP-class, downloaded from the net).
To be able to make the connection to the database, the class has to know
the

databasename, username, and password. At the moment, it is hardcoded in the
include-file. This file can be downloaded by anyone who knows its exact
name
and
location (which is not hard, of course). I want to prevent this.
I have tried some things with permissions, but I could not find a solution
there.
A known solution on Windows-platforms is, to put the names  password in
the

registry of the server, but I don't know how I can read data from the
registry
in PHP.
Another solution is to use environment variables. I know how to read them:
the
documentation says that getenv() gives the environment of the client, but
that
is not true, at least on NT it gives the environment of the server. But
then

again: of which user is that environment and won't it be easy to read that
environment over the internet?
Can anyone give me advice on this?
Furthermore I will be setting up a similar construction (PHP + password
protected database) on a Linux machine. So I am also interested in
Unix-only

solutions.

Thanks in advance,
Marco Draijer

--
***
*
This message contains information that may be privileged or confidential
and
is the property of the Cap Gemini Ernst  Young Group. It is only intended
for the person to whom it is addressed. If you are not the intended
recipient, you are not authorized to read, print, retain, copy disseminate,
distribute, or use this message or any part thereof. If you receive this
message in error, please notify the sender immediately and delete all
copies
of this message.
***
*

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] Protecting files

2001-04-05 Thread Ron Brogden 

At 03:09 AM 4/5/2001 +0100, Mick Lloyd wrote:
But how do I then protect the directories/scripts from anyone wanting to 
have a look
(not that they're worth much!).

Create a .htaccess file that contains the following:

deny from all

Place it in the directories you wish to protect.  Next, create a script 
which will pass through a given file to a user if certain conditions are 
met (there are a few functions that can help with this under file i/o in 
the PHP manual).

Be EXTREMELY careful on how you handle paths with this.  The best thing to 
do is to make the file requests based on an ID number (remember to force 
the value to an integer in your script) and then associate the "id" with an 
entry in the config file or database so people cannot call your script with 
arbitrary file names.  Make sure you catch the default case where the ID 
does not match a file too just in case.

Cheers



-
Island Net AMT Solutions Group Inc.  Telephone:  250 383-0096
1412 Quadra  Toll Free:1 800 331-3055
Victoria, B.C.   Fax:250 383-6698
V8W 2L1  E-Mail:[EMAIL PROTECTED]
Canada   WWW:   http://www.islandnet.com/
-


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] Protecting files

2001-04-05 Thread Miles Thompson 

Mick,

Since you have the login screens, etc. already, once a user is 
authenticated, start a session and register a session variable, using a 
meaningful value fetched from the database. I use "member_id", but anything 
will do.

At the very top of each page you want to protect, with no spaces or 
ANYTHING before it, add this code:
? session_start(); if( !session_is_registered( "member_id" ) ) { 
header("Location: user_logon.php\n"); } ?
The pages all have to have a .php extension so that this code  will 
execute, but other than this one line they can be straight HTML.

When a user hits the page, coming from anywhere, and doesn't have a session 
registered with something in "member_id", he is redirected to the logon 
page, creatively named "user_logon.php".

The beauty of this is that the session disappears when the browser is 
closed, you can also provide a "logout" function which has only to destroy 
the session variable. Now you can dispense with .htaccess and .htpasswd.

To protect each directory, all you need is an index.php in each, containing 
nothing more than this line. Anyone blundering in will be directed to log 
on. If you prefer to not protect some pages in a directory, leave the line 
off.

More than a word, and I hope it's helpful - Miles


At 03:09 AM 4/5/01 +0100, Mick Lloyd wrote:
Can anyone point me to a tutorial that explains in words of one syllable how
to protect files/directories without using .htaccess and .htpasswd.

I have log-in screens that search an authorized users database for name,
password, level before they can get into the site. But each time someone (ie
me at the moment) tries to log-in, the browser throws up the (HTTP
Authentication?) dialog box - I guess because I have .htaccess and .htpasswd
protecting the directories where the scripts reside. I would prefer not to
have this happen and rely only on authentication from the database. But how
do I then protect the directories/scripts from anyone wanting to have a look
(not that they're worth much!).

Thanks

Mick Lloyd
[EMAIL PROTECTED]
Tel: +44 (0)1684 560224


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]