Re: [PHP-DB] Protecting mysql database
Why not just stop the database? On Wed, 2004-03-03 at 09:41, Piet from South Africa wrote: Hi Is there a way that an alert or something can be generated when a mysql database is being accessed in any way. I want to close the whole database for a period, and nobody may access the database via phpadmin or anything else Appreciate your input on this one. -- Adam Voigt [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Protecting mysql database
if you want to close the whole database for a period, and that _NOBODY_ have access, just shutdown the service, and prevent it from starting the next time you restart your operative system. :) you could make mysql to log more than it normaly does to the logs and then analyse the log. You can even monitor the logs and when something happend (like a login) send an email or sms to the administrator. I dont know how to change which information is store in the logs, look at the mysql documentation, it have to be there. - Original Message - From: Piet from South Africa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 2:41 PM Subject: [PHP-DB] Protecting mysql database Hi Is there a way that an alert or something can be generated when a mysql database is being accessed in any way. I want to close the whole database for a period, and nobody may access the database via phpadmin or anything else Appreciate your input on this one. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] protecting
you might find the library at http://www.dentedreality.com.au/jsvalidation/ useful, but you should also perform similar checks server-side using PHP since if you are that worried about malicious use of your site, people can easily circumvent javascript validation // -Original Message- // From: Mihail Bota [mailto:[EMAIL PROTECTED]] // Sent: Tuesday, 12 February 2002 12:19 PM // To: CrossWalkCentral // Cc: [EMAIL PROTECTED] // Subject: Re: [PHP-DB] protecting // // // put some javascript validation form. if the value of the form cntains // .jpg, etc. don't allow the user to go further. // // On Mon, 11 Feb 2002, CrossWalkCentral wrote: // // How can I help protect people form modifying a form that // submits data to php file that stores the data in a database // // for example I have a text box that ask for a first name // and I am getting a lot of garbage back like if they modified // my form and submitted a image instead. // // I know that their is some sort of parse out their that I // can put in the php file that will help validate this // // // // -- // PHP Database Mailing List (http://www.php.net/) // To unsubscribe, visit: http://www.php.net/unsub.php // -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] protecting
correct! On Tue, 12 Feb 2002, Beau Lebens wrote: you might find the library at http://www.dentedreality.com.au/jsvalidation/ useful, but you should also perform similar checks server-side using PHP since if you are that worried about malicious use of your site, people can easily circumvent javascript validation // -Original Message- // From: Mihail Bota [mailto:[EMAIL PROTECTED]] // Sent: Tuesday, 12 February 2002 12:19 PM // To: CrossWalkCentral // Cc: [EMAIL PROTECTED] // Subject: Re: [PHP-DB] protecting // // // put some javascript validation form. if the value of the form cntains // .jpg, etc. don't allow the user to go further. // // On Mon, 11 Feb 2002, CrossWalkCentral wrote: // // How can I help protect people form modifying a form that // submits data to php file that stores the data in a database // // for example I have a text box that ask for a first name // and I am getting a lot of garbage back like if they modified // my form and submitted a image instead. // // I know that their is some sort of parse out their that I // can put in the php file that will help validate this // // // // -- // PHP Database Mailing List (http://www.php.net/) // To unsubscribe, visit: http://www.php.net/unsub.php // -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Protecting php scripts from source being downloaded
u can download a php page from a download manager ? i just tryed with flashget... it phrased the php page into html first.. ? ? if you want to protect your say.. variables file from some1 trying in the address of it. heres a simple way. in the variables file include @header(status: error 404); (or how ever that code goes). then in the page u want to include this. start the html tag first html then include this page. the @ will make it not report errors. so u can inclue the page perfectally.. when people try to look @ it, it will say it doesnt exist. Neil - Original Message - From: Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 8:00 AM Subject: [PHP-DB] Protecting php scripts from source being downloaded Hi, im kinda new to this so be kind :) Im using mysql and php to create test databases (guestbook etc, basic stuff), but it doesnt seem so secure, people can just use a download manager to download the php files and steal the mysql passwords. Is there anyway to make it so they can see the php files through the brower but not download my homecrafted php? Ive looked through many websites and the history of this, all I could find was one post which was to encript the files (this isnt really suitable for me as I edit bits and bobs as I go along). Is there anyway I can setup access as said in the above? Or just hid the password somehow? Im using IIS 5.1. thanks tom -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Protecting php scripts from source being downloaded
Or you could do something like: if(!empty($PHP_SELF)) { if(stristr($PHP_SELF, config.php)) { header(Status: 404 Not Found); } } that's assuming you use the register_globals. If not, then you could simply grab $PHP_SELF from the environment variables. Ryan -Original Message- From: Neil Thomson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 12:31 PM To: Tom; [EMAIL PROTECTED] Subject: Re: [PHP-DB] Protecting php scripts from source being downloaded u can download a php page from a download manager ? i just tryed with flashget... it phrased the php page into html first.. ? ? if you want to protect your say.. variables file from some1 trying in the address of it. heres a simple way. in the variables file include @header(status: error 404); (or how ever that code goes). then in the page u want to include this. start the html tag first html then include this page. the @ will make it not report errors. so u can inclue the page perfectally.. when people try to look @ it, it will say it doesnt exist. Neil - Original Message - From: Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 8:00 AM Subject: [PHP-DB] Protecting php scripts from source being downloaded Hi, im kinda new to this so be kind :) Im using mysql and php to create test databases (guestbook etc, basic stuff), but it doesnt seem so secure, people can just use a download manager to download the php files and steal the mysql passwords. Is there anyway to make it so they can see the php files through the brower but not download my homecrafted php? Ive looked through many websites and the history of this, all I could find was one post which was to encript the files (this isnt really suitable for me as I edit bits and bobs as I go along). Is there anyway I can setup access as said in the above? Or just hid the password somehow? Im using IIS 5.1. thanks tom -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Protecting php scripts from source being downloaded
sorry, as I said Im kinda new, I was downloading the file from my webserver to my computer, and it downloaded the php file as a php file, non parsed by the preprocessor. But when other people download it it does only give the source sorry :) Neil Thomson [EMAIL PROTECTED] wrote in message 003e01c19933$7300d220$113331d2@home">news:003e01c19933$7300d220$113331d2@home... u can download a php page from a download manager ? i just tryed with flashget... it phrased the php page into html first.. ? ? if you want to protect your say.. variables file from some1 trying in the address of it. heres a simple way. in the variables file include @header(status: error 404); (or how ever that code goes). then in the page u want to include this. start the html tag first html then include this page. the @ will make it not report errors. so u can inclue the page perfectally.. when people try to look @ it, it will say it doesnt exist. Neil - Original Message - From: Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 8:00 AM Subject: [PHP-DB] Protecting php scripts from source being downloaded Hi, im kinda new to this so be kind :) Im using mysql and php to create test databases (guestbook etc, basic stuff), but it doesnt seem so secure, people can just use a download manager to download the php files and steal the mysql passwords. Is there anyway to make it so they can see the php files through the brower but not download my homecrafted php? Ive looked through many websites and the history of this, all I could find was one post which was to encript the files (this isnt really suitable for me as I edit bits and bobs as I go along). Is there anyway I can setup access as said in the above? Or just hid the password somehow? Im using IIS 5.1. thanks tom -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Protecting database password
On Unix it is possible to make an include file with all the settings like $user, $passwd and so on and store it somewhere in the filesystem (not under your htdocs-path) So no one can access this file via web You can include this file with its variables with the include() - statement ... Imagine your PHP-Engine won´t work and someone accesses a page where you included this file with the settings he will never see your Password but just the include-statement ... nothing else ... And he won´t be able to access the file since its not in yout /htdocs - Path ... Cheers, Marcel -Original Message- From: Marco Draijer [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, July 18, 2001 09:41 To: [EMAIL PROTECTED] Subject: [PHP-DB] Protecting database password For a PHP-application on Windows NT, I am using an Oracle database and the database-interface db_oci8.inc (a PHP-class, downloaded from the net). To be able to make the connection to the database, the class has to know the databasename, username, and password. At the moment, it is hardcoded in the include-file. This file can be downloaded by anyone who knows its exact name and location (which is not hard, of course). I want to prevent this. I have tried some things with permissions, but I could not find a solution there. A known solution on Windows-platforms is, to put the names password in the registry of the server, but I don't know how I can read data from the registry in PHP. Another solution is to use environment variables. I know how to read them: the documentation says that getenv() gives the environment of the client, but that is not true, at least on NT it gives the environment of the server. But then again: of which user is that environment and won't it be easy to read that environment over the internet? Can anyone give me advice on this? Furthermore I will be setting up a similar construction (PHP + password protected database) on a Linux machine. So I am also interested in Unix-only solutions. Thanks in advance, Marco Draijer -- ** ** This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst Young Group. It is only intended for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ** ** -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Protecting database password
Hi, I suggest you use a .php file to declare your database variables and include it everywhere you need it. Even if someone guesses the name of this file when he tries to open it, nothing will be outputed to the screen. an example file is ? $dbname=name; $dbuser=user; $dbpass=pass; ? Than you'll have to set the permissions of this file in a way that noone (except you and the process that runs the php) with access to the server can read this file. Hope this helps Dobromir Velev -Original Message- From: Marco Draijer [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wednesday, July 18, 2001 10:42 AM Subject: [PHP-DB] Protecting database password For a PHP-application on Windows NT, I am using an Oracle database and the database-interface db_oci8.inc (a PHP-class, downloaded from the net). To be able to make the connection to the database, the class has to know the databasename, username, and password. At the moment, it is hardcoded in the include-file. This file can be downloaded by anyone who knows its exact name and location (which is not hard, of course). I want to prevent this. I have tried some things with permissions, but I could not find a solution there. A known solution on Windows-platforms is, to put the names password in the registry of the server, but I don't know how I can read data from the registry in PHP. Another solution is to use environment variables. I know how to read them: the documentation says that getenv() gives the environment of the client, but that is not true, at least on NT it gives the environment of the server. But then again: of which user is that environment and won't it be easy to read that environment over the internet? Can anyone give me advice on this? Furthermore I will be setting up a similar construction (PHP + password protected database) on a Linux machine. So I am also interested in Unix-only solutions. Thanks in advance, Marco Draijer -- *** * This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst Young Group. It is only intended for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. *** * -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Protecting files
At 03:09 AM 4/5/2001 +0100, Mick Lloyd wrote: But how do I then protect the directories/scripts from anyone wanting to have a look (not that they're worth much!). Create a .htaccess file that contains the following: deny from all Place it in the directories you wish to protect. Next, create a script which will pass through a given file to a user if certain conditions are met (there are a few functions that can help with this under file i/o in the PHP manual). Be EXTREMELY careful on how you handle paths with this. The best thing to do is to make the file requests based on an ID number (remember to force the value to an integer in your script) and then associate the "id" with an entry in the config file or database so people cannot call your script with arbitrary file names. Make sure you catch the default case where the ID does not match a file too just in case. Cheers - Island Net AMT Solutions Group Inc. Telephone: 250 383-0096 1412 Quadra Toll Free:1 800 331-3055 Victoria, B.C. Fax:250 383-6698 V8W 2L1 E-Mail:[EMAIL PROTECTED] Canada WWW: http://www.islandnet.com/ - -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Protecting files
Mick, Since you have the login screens, etc. already, once a user is authenticated, start a session and register a session variable, using a meaningful value fetched from the database. I use "member_id", but anything will do. At the very top of each page you want to protect, with no spaces or ANYTHING before it, add this code: ? session_start(); if( !session_is_registered( "member_id" ) ) { header("Location: user_logon.php\n"); } ? The pages all have to have a .php extension so that this code will execute, but other than this one line they can be straight HTML. When a user hits the page, coming from anywhere, and doesn't have a session registered with something in "member_id", he is redirected to the logon page, creatively named "user_logon.php". The beauty of this is that the session disappears when the browser is closed, you can also provide a "logout" function which has only to destroy the session variable. Now you can dispense with .htaccess and .htpasswd. To protect each directory, all you need is an index.php in each, containing nothing more than this line. Anyone blundering in will be directed to log on. If you prefer to not protect some pages in a directory, leave the line off. More than a word, and I hope it's helpful - Miles At 03:09 AM 4/5/01 +0100, Mick Lloyd wrote: Can anyone point me to a tutorial that explains in words of one syllable how to protect files/directories without using .htaccess and .htpasswd. I have log-in screens that search an authorized users database for name, password, level before they can get into the site. But each time someone (ie me at the moment) tries to log-in, the browser throws up the (HTTP Authentication?) dialog box - I guess because I have .htaccess and .htpasswd protecting the directories where the scripts reside. I would prefer not to have this happen and rely only on authentication from the database. But how do I then protect the directories/scripts from anyone wanting to have a look (not that they're worth much!). Thanks Mick Lloyd [EMAIL PROTECTED] Tel: +44 (0)1684 560224 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]