Hi,
I have a website in a Linux/Apache shared hosting environment and have
been given access to the MySQL server running on the same machine. To
access this database from PHP, I have to call mysql_connect(host,
user, password) where the password is hardcoded into my PHP source
file in clear text.
I see two security problems with this:
1) Since the PHP source is in my public webserver area, another user
of the same server could telnet into the server and look at the source
file and see the password file. I can't lock the file down using Unix
file system permissions or else the webserver won't be able to read
it.
2) If my ISP messes up their webserver config and accidentally stops
parsing PHP files and outputs the PHP file as plain text, the password
will be visible to all.
Is there any other way for PHP to authenticate itself to MySQL?
Thanks in advance! 2 6950
On Fri, 12 Sep 2003 15:39:33 -0700 in
<message-id:0o********************************@4ax.com>
Bob <bo*@bob.com> wrote: Hi,
I have a website in a Linux/Apache shared hosting environment and have been given access to the MySQL server running on the same machine. To access this database from PHP, I have to call mysql_connect(host, user, password) where the password is hardcoded into my PHP source file in clear text.
I see two security problems with this:
1) Since the PHP source is in my public webserver area, another user of the same server could telnet into the server and look at the source file and see the password file. I can't lock the file down using Unix file system permissions or else the webserver won't be able to read it.
You need to find somewhere that knows what they're doing to host your
site then (certainly no plug.. there's many available). If they can't
configure their servers correctly to prevent the above action, they
shouldn't be offering the service(s). 2) If my ISP messes up their webserver config and accidentally stops parsing PHP files and outputs the PHP file as plain text, the password will be visible to all.
This part is easy =)
Say for example, your web tree is similar to:
/bob
/bob/htdocs
/bob/htdocs/index.php
etc. Store something like 'db_config.php' as:
/bob/db_config.php
This way, it's not web accessible, so matters not if the PHP parsing
falls over. Simply use a require() call to "import" the info:
[ db_config.php ]
<?php
$sql = array();
$sql['host'] = 'localhost';
$sql['user'] = 'username';
$sql['pass'] = 'password';
?>
[ index.php ]
<?php
@require(dirname(__FILE__) . '/../db_config.php');
@mysql_connect($sql['host'], $sql['user'], $sql['pass'])
or die('Cannot connect to database!');
[ ... ]
?> Is there any other way for PHP to authenticate itself to MySQL?
Not AFAIK. Thanks in advance!
Hope the above helps (some?).
Regards,
Ian
--
Ian.H [Design & Development]
digiServ Network - Web solutions www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.
In article <20*************************@WINDOZEdigiserv.net >, Ian.H
[dS]'s output was... Say for example, your web tree is similar to:
/bob /bob/htdocs /bob/htdocs/index.php
etc. Store something like 'db_config.php' as:
/bob/db_config.php
This way, it's not web accessible, so matters not if the PHP parsing falls over. Simply use a require() call to "import" the info:
Or, if you have a webhost who don't give you any space which can't be
seen by web users, create .htaccess and .htpasswd files to prevent people
from seeing the 'db_config.php' file.
See http://httpd.apache.org/docs/howto/auth.html for more info. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: |
last post by:
Hello,
Sorry to ask what is probably a simple answer, but I am having problems
updating a table/database from a PHP/
PHTML file. I can Read From the Table, I can Insert into Table/Database, But...
|
by: aars |
last post by:
Hello all,
I am creating a user administration system where system administrator
can activate services for a user, like webspace, a mail account or a
subdomain.
I now want to create a...
|
by: Mike Chirico |
last post by:
Interesting Things to Know about MySQL
Mike Chirico (mchirico@users.sourceforge.net)
Copyright (GPU Free Documentation License) 2004
Last Updated: Mon Jun 7 10:37:28 EDT 2004
The latest...
|
by: Bob Hollness |
last post by:
OK. The below text is from the MySQL website.
"When you connect to a MySQL server, you should use a password. The password
is not transmitted in clear text over the connection. Password handling...
|
by: per9000 |
last post by:
Hi all,
I want to create an encryption program and started thinking about not
storing sensitive information in the memory since I guess someone
might steal my computer an scan my memory.
So I...
|
by: mouac01 |
last post by:
I'm not sure if this is possible. I would like to have a PHP app on
the Internet connect and write to a local database (Intranet). For
example, users would go to a web site...
|
by: paulq182 |
last post by:
PLEASE HELP ME WITH MY CODE??
import java.sql.*;
import java.io.*;
class min_filmdb_rel_mysql {
public static void main (String args )
throws SQLException, IOException {
|
by: Atli |
last post by:
This is an easy to digest 12 step guide on basics of using MySQL. It's a great refresher for those who need it and it work's great for first time MySQL users.
Anyone should be able to get...
|
by: George Lft |
last post by:
ok, first of all, i built my register page using dreamweaver tool which the codes haven been out of control. Now i'm thinking that turning over everything - by using this another set of codes. And...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |