Hi,
I have a website in a Linux/Apache shared hosting environment and have
been given access to the MySQL server running on the same machine. To
access this database from PHP, I have to call mysql_connect(h ost,
user, password) where the password is hardcoded into my PHP source
file in clear text.
I see two security problems with this:
1) Since the PHP source is in my public webserver area, another user
of the same server could telnet into the server and look at the source
file and see the password file. I can't lock the file down using Unix
file system permissions or else the webserver won't be able to read
it.
2) If my ISP messes up their webserver config and accidentally stops
parsing PHP files and outputs the PHP file as plain text, the password
will be visible to all.
Is there any other way for PHP to authenticate itself to MySQL?
Thanks in advance! 2 6967
On Fri, 12 Sep 2003 15:39:33 -0700 in
<message-id:0o********** *************** *******@4ax.com >
Bob <bo*@bob.com> wrote: Hi,
I have a website in a Linux/Apache shared hosting environment and have been given access to the MySQL server running on the same machine. To access this database from PHP, I have to call mysql_connect(h ost, user, password) where the password is hardcoded into my PHP source file in clear text.
I see two security problems with this:
1) Since the PHP source is in my public webserver area, another user of the same server could telnet into the server and look at the source file and see the password file. I can't lock the file down using Unix file system permissions or else the webserver won't be able to read it.
You need to find somewhere that knows what they're doing to host your
site then (certainly no plug.. there's many available). If they can't
configure their servers correctly to prevent the above action, they
shouldn't be offering the service(s). 2) If my ISP messes up their webserver config and accidentally stops parsing PHP files and outputs the PHP file as plain text, the password will be visible to all.
This part is easy =)
Say for example, your web tree is similar to:
/bob
/bob/htdocs
/bob/htdocs/index.php
etc. Store something like 'db_config.php' as:
/bob/db_config.php
This way, it's not web accessible, so matters not if the PHP parsing
falls over. Simply use a require() call to "import" the info:
[ db_config.php ]
<?php
$sql = array();
$sql['host'] = 'localhost';
$sql['user'] = 'username';
$sql['pass'] = 'password';
?>
[ index.php ]
<?php
@require(dirnam e(__FILE__) . '/../db_config.php') ;
@mysql_connect( $sql['host'], $sql['user'], $sql['pass'])
or die('Cannot connect to database!');
[ ... ]
?> Is there any other way for PHP to authenticate itself to MySQL?
Not AFAIK. Thanks in advance!
Hope the above helps (some?).
Regards,
Ian
--
Ian.H [Design & Development]
digiServ Network - Web solutions www.digiserv.net | irc.digiserv.ne t | forum.digiserv. net
Programming, Web design, development & hosting.
In article <20************ *************@W INDOZEdigiserv. net>, Ian.H
[dS]'s output was... Say for example, your web tree is similar to:
/bob /bob/htdocs /bob/htdocs/index.php
etc. Store something like 'db_config.php' as:
/bob/db_config.php
This way, it's not web accessible, so matters not if the PHP parsing falls over. Simply use a require() call to "import" the info:
Or, if you have a webhost who don't give you any space which can't be
seen by web users, create .htaccess and .htpasswd files to prevent people
from seeing the 'db_config.php' file.
See http://httpd.apache.org/docs/howto/auth.html for more info. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: |
last post by:
Hello,
Sorry to ask what is probably a simple answer, but I am having problems
updating a table/database from a PHP/
PHTML file. I can Read From the Table, I can Insert into Table/Database, But
not update. Here is a copy of the
script I am using. I do not know what version of MySQL my host is running
nor do I have Shell Access to it. I
|
by: aars |
last post by:
Hello all,
I am creating a user administration system where system administrator
can activate services for a user, like webspace, a mail account or a
subdomain.
I now want to create a function that creates mysql databases and grant
the right privileges to a user. But the problem is that mysql wants to
have the plaintext password for the user in the "grant ... identified by
'pwd'" field, or in a manual query to update the password in...
|
by: Mike Chirico |
last post by:
Interesting Things to Know about MySQL
Mike Chirico (mchirico@users.sourceforge.net)
Copyright (GPU Free Documentation License) 2004
Last Updated: Mon Jun 7 10:37:28 EDT 2004
The latest version of this document can be found at:
http://prdownloads.sourceforge.net/souptonuts/README_mysql.txt?download
|
by: Bob Hollness |
last post by:
OK. The below text is from the MySQL website.
"When you connect to a MySQL server, you should use a password. The password
is not transmitted in clear text over the connection. Password handling
during the client connection sequence was upgraded in MySQL 4.1.1 to be very
secure"
Has anyone actually tested this by "sniffing" their packets during use?
Also, does anybody know if this applies when using VB to connect using the
connection...
|
by: per9000 |
last post by:
Hi all,
I want to create an encryption program and started thinking about not
storing sensitive information in the memory since I guess someone
might steal my computer an scan my memory.
So I wrote this method for getting a password from the console and
converting it to an array of bytes for later use in the encryption
algorithm.
The weak point as I see it is the storage of the password - it will be
| |
by: mouac01 |
last post by:
I'm not sure if this is possible. I would like to have a PHP app on
the Internet connect and write to a local database (Intranet). For
example, users would go to a web site http://www.internet.com to run
the app. The app requires an internet connection and is outside of
the user's network. The app would have the option to either store
data locally or on the Internet. I would like to give users the
option to store data locally because...
|
by: paulq182 |
last post by:
PLEASE HELP ME WITH MY CODE??
import java.sql.*;
import java.io.*;
class min_filmdb_rel_mysql {
public static void main (String args )
throws SQLException, IOException {
|
by: Atli |
last post by:
This is an easy to digest 12 step guide on basics of using MySQL. It's a great refresher for those who need it and it work's great for first time MySQL users.
Anyone should be able to get through this without much trouble. Programming knowledge is not required.
Index
What is SQL?
Why MySQL?
Installing MySQL.
Using the MySQL command line interface
|
by: George Lft |
last post by:
ok, first of all, i built my register page using dreamweaver tool which the codes haven been out of control. Now i'm thinking that turning over everything - by using this another set of codes. And these new sets of codes have overwhelmed me a bit. Here's the new code:
CREATE TABLE `users` (
`ID` int(11) NOT NULL auto_increment,
`Username` varchar(255) NOT NULL,
`Password` varchar(255) NOT NULL,
`Temp_pass` varchar(55)...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |