Re: [PHP-DB] MySQL password protection?

2002-11-07 Thread Adam Voigt
Make the include file (or wherever your page with the pass is)
encrypted, see ioncube.com they charge by the amount of code you
incrypt, for a simple database include file, I think it would
be $1 or less.

On Wed, 2002-11-06 at 16:04, William Trappeniers wrote:
 Hi all
 
 I was wondering if it is possible to protect my password to the MySQL-server
 from being in a PHP-script.  Now I can't do that, so everybody who gets to
 see my php-sourcecode also can see my (not protected/not encrypted)
 password.
 How can I change this?
 
 Thanks,
 
 William
 
 ---
 William Trappeniers
 mail at: [EMAIL PROTECTED]
 
 
 
 -- 
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP-DB] MySQL password protection?

2002-11-06 Thread 1LT John W. Holmes
 I was wondering if it is possible to protect my password to the
MySQL-server
 from being in a PHP-script.  Now I can't do that, so everybody who gets to
 see my php-sourcecode also can see my (not protected/not encrypted)
 password.
 How can I change this?

You can't, unless you want to put it in php.ini or a my.conf file...

---John Holmes...


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP-DB] MySQL password protection?

2002-11-06 Thread SELPH,JASON (HP-Richardson,ex1)
actually you can make a .php file with your connection info, include it in
your .php files at the top and encrypt that one file (they don't need to see
it anyway).  use a php encoder for the file with your login info in it.

-Original Message-
From: 1LT John W. Holmes [mailto:holmes072000;charter.net]
Sent: Wednesday, November 06, 2002 4:16 PM
To: William Trappeniers; [EMAIL PROTECTED]
Subject: Re: [PHP-DB] MySQL password protection?


 I was wondering if it is possible to protect my password to the
MySQL-server
 from being in a PHP-script.  Now I can't do that, so everybody who gets to
 see my php-sourcecode also can see my (not protected/not encrypted)
 password.
 How can I change this?

You can't, unless you want to put it in php.ini or a my.conf file...

---John Holmes...


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP-DB] MySQL password protection?

2002-11-06 Thread Steve Cayford
You could put it anywhere. Stick it in a text file somewhere, fopen() 
and read the file for the password. Or keep it in a php script outside 
of the web root if that's the issue, then just include() it when you 
need to.

Of course any file you put it in will have to be readable by whatever 
user the webserver is running as.

-Steve

On Wednesday, November 6, 2002, at 04:16  PM, 1LT John W. Holmes wrote:

I was wondering if it is possible to protect my password to the

MySQL-server

from being in a PHP-script.  Now I can't do that, so everybody who 
gets to
see my php-sourcecode also can see my (not protected/not encrypted)
password.
How can I change this?

You can't, unless you want to put it in php.ini or a my.conf file...

---John Holmes...


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP-DB] MySQL password protection?

2002-11-06 Thread 1LT John W. Holmes
Are you sure you can include an encoded file into a non-encoded one?

I had forgotten about this option, but if you can find a worthwhile
compiler/encoder/etc, then that's a solution.

---John Holmes...

- Original Message -
From: SELPH,JASON (HP-Richardson,ex1) [EMAIL PROTECTED]
To: '1LT John W. Holmes' [EMAIL PROTECTED]; William Trappeniers
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, November 06, 2002 5:30 PM
Subject: RE: [PHP-DB] MySQL password protection?


 actually you can make a .php file with your connection info, include it in
 your .php files at the top and encrypt that one file (they don't need to
see
 it anyway).  use a php encoder for the file with your login info in it.

 -Original Message-
 From: 1LT John W. Holmes [mailto:holmes072000;charter.net]
 Sent: Wednesday, November 06, 2002 4:16 PM
 To: William Trappeniers; [EMAIL PROTECTED]
 Subject: Re: [PHP-DB] MySQL password protection?


  I was wondering if it is possible to protect my password to the
 MySQL-server
  from being in a PHP-script.  Now I can't do that, so everybody who gets
to
  see my php-sourcecode also can see my (not protected/not encrypted)
  password.
  How can I change this?

 You can't, unless you want to put it in php.ini or a my.conf file...

 ---John Holmes...


 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP-DB] MySQL password protection?

2002-11-06 Thread Marco Tabini
Make sure that the encoder you use actually makes string unreadable.
Otherwise, you can use a simple trick, like for example XORing the whole
string with FF or something similar.
-- 

php|architect - The magazine for PHP Professionals
The first monthly worldwide  magazine dedicated to PHP programmer

Come visit us at http://www.phparch.com!


---BeginMessage---
actually you can make a .php file with your connection info, include it in
your .php files at the top and encrypt that one file (they don't need to see
it anyway).  use a php encoder for the file with your login info in it.

-Original Message-
From: 1LT John W. Holmes [mailto:holmes072000;charter.net]
Sent: Wednesday, November 06, 2002 4:16 PM
To: William Trappeniers; [EMAIL PROTECTED]
Subject: Re: [PHP-DB] MySQL password protection?


 I was wondering if it is possible to protect my password to the
MySQL-server
 from being in a PHP-script.  Now I can't do that, so everybody who gets to
 see my php-sourcecode also can see my (not protected/not encrypted)
 password.
 How can I change this?

You can't, unless you want to put it in php.ini or a my.conf file...

---John Holmes...


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



---End Message---
-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP-DB] MySQL password protection?

2002-11-06 Thread Peter Beckman
Create a user nobody with no password and give that user select, update,
delete and insert capabilities in your DB and can only connect from
localhost (or a certain host).  This way they have to be on localhost in
order to gain access to your tables, and only then be able to do what your
nobody user can do.

Then you need to make sure nobody can gain access to localhost without
express permission (i.e. plug all security holes).

Why are you showing people your source-code that has your password in it?

Peter

On Wed, 6 Nov 2002, William Trappeniers wrote:

 Hi all

 I was wondering if it is possible to protect my password to the MySQL-server
 from being in a PHP-script.  Now I can't do that, so everybody who gets to
 see my php-sourcecode also can see my (not protected/not encrypted)
 password.
 How can I change this?

 Thanks,

 William

 ---
 William Trappeniers
 mail at: [EMAIL PROTECTED]



 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


---
Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation
[EMAIL PROTECTED] http://www.purplecow.com/
---


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP-DB] MySQL password protection?

2002-11-06 Thread Peter Beckman
And make sure you make sure the webserver will not SERVE that file!!!  You
see the source, see that you are fopening the file, I'll find it on your
system and get it from the web server and I have your password!

Make sure the file is NOT in the document root that the web server serves
from.  You could also just use the file .htpasswd, usually by default web
servers will NOT serve any file named that.  However, much safer to put it
somewhere that the web server cannot see (but your PHP script can).

Also, this is just as insecure as the other way to any person with a login
on the box your PHP script is in.  Usually the script is owned by
nobody:nobody or read-write all, in which case all local users can get your
password.

The nobody method at least keeps no password.

Peter

On Wed, 6 Nov 2002, Steve Cayford wrote:

 You could put it anywhere. Stick it in a text file somewhere, fopen()
 and read the file for the password. Or keep it in a php script outside
 of the web root if that's the issue, then just include() it when you
 need to.

 Of course any file you put it in will have to be readable by whatever
 user the webserver is running as.

 -Steve

 On Wednesday, November 6, 2002, at 04:16  PM, 1LT John W. Holmes wrote:

  I was wondering if it is possible to protect my password to the
  MySQL-server
  from being in a PHP-script.  Now I can't do that, so everybody who
  gets to
  see my php-sourcecode also can see my (not protected/not encrypted)
  password.
  How can I change this?
 
  You can't, unless you want to put it in php.ini or a my.conf file...
 
  ---John Holmes...
 
 
  --
  PHP Database Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 


 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


---
Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation
[EMAIL PROTECTED] http://www.purplecow.com/
---


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP-DB] MySQL password protection?

2002-11-06 Thread Josh Johnson
The standard apache install filters anything named .ht*. on the web
tree.

-- Josh

-Original Message-
From: Peter Beckman [mailto:beckman;purplecow.com] 
Sent: Wednesday, November 06, 2002 6:44 PM
To: Steve Cayford
Cc: [EMAIL PROTECTED]; William Trappeniers
Subject: Re: [PHP-DB] MySQL password protection?

And make sure you make sure the webserver will not SERVE that file!!!
You
see the source, see that you are fopening the file, I'll find it on your
system and get it from the web server and I have your password!

Make sure the file is NOT in the document root that the web server
serves
from.  You could also just use the file .htpasswd, usually by default
web
servers will NOT serve any file named that.  However, much safer to put
it
somewhere that the web server cannot see (but your PHP script can).

Also, this is just as insecure as the other way to any person with a
login
on the box your PHP script is in.  Usually the script is owned by
nobody:nobody or read-write all, in which case all local users can get
your
password.

The nobody method at least keeps no password.

Peter

On Wed, 6 Nov 2002, Steve Cayford wrote:

 You could put it anywhere. Stick it in a text file somewhere, fopen()
 and read the file for the password. Or keep it in a php script outside
 of the web root if that's the issue, then just include() it when you
 need to.

 Of course any file you put it in will have to be readable by whatever
 user the webserver is running as.

 -Steve

 On Wednesday, November 6, 2002, at 04:16  PM, 1LT John W. Holmes
wrote:

  I was wondering if it is possible to protect my password to the
  MySQL-server
  from being in a PHP-script.  Now I can't do that, so everybody who
  gets to
  see my php-sourcecode also can see my (not protected/not encrypted)
  password.
  How can I change this?
 
  You can't, unless you want to put it in php.ini or a my.conf file...
 
  ---John Holmes...
 
 
  --
  PHP Database Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 


 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



---
Peter BeckmanSystems Engineer, Fairfax Cable Access
Corporation
[EMAIL PROTECTED]
http://www.purplecow.com/

---


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP-DB] MySQL password protection?

2002-11-06 Thread Josh Johnson
Also, you can limit access to a specific table in a specific database
for a specific user, if it makes sense in your application.

-- Josh

-Original Message-
From: Peter Beckman [mailto:beckman;purplecow.com] 
Sent: Wednesday, November 06, 2002 6:41 PM
To: William Trappeniers
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] MySQL password protection?

Create a user nobody with no password and give that user select,
update,
delete and insert capabilities in your DB and can only connect from
localhost (or a certain host).  This way they have to be on localhost in
order to gain access to your tables, and only then be able to do what
your
nobody user can do.

Then you need to make sure nobody can gain access to localhost without
express permission (i.e. plug all security holes).

Why are you showing people your source-code that has your password in
it?

Peter

On Wed, 6 Nov 2002, William Trappeniers wrote:

 Hi all

 I was wondering if it is possible to protect my password to the
MySQL-server
 from being in a PHP-script.  Now I can't do that, so everybody who
gets to
 see my php-sourcecode also can see my (not protected/not encrypted)
 password.
 How can I change this?

 Thanks,

 William

 ---
 William Trappeniers
 mail at: [EMAIL PROTECTED]



 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



---
Peter BeckmanSystems Engineer, Fairfax Cable Access
Corporation
[EMAIL PROTECTED]
http://www.purplecow.com/

---


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP-DB] MySQL password protection?

2002-11-06 Thread Dave Smith
One thing I do with Postgres that I'm not sure MySQL supports is 
Kerberos5 authentication. This way, a user logs in (and they have a user 
account on the DB) and I use their remote user name and their Kerberos 
ticket to authenticate them to the DB. That works without having to 
store a password anywhere on the filesystem.

--Dave

William Trappeniers wrote:
Hi all

I was wondering if it is possible to protect my password to the MySQL-server
from being in a PHP-script.  Now I can't do that, so everybody who gets to
see my php-sourcecode also can see my (not protected/not encrypted)
password.
How can I change this?

Thanks,

William

---
William Trappeniers
mail at: [EMAIL PROTECTED]








--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php