hallo,
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Thank you in advance.
Mario.
20  2996 
_mario.lat wrote:
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
I assume you use a Unix like system for your server.
I assume you have your PHP scripts in ~/public_html
Then you can create a directory ~/mypasswords
Now you can create the following file
--- ~/mypasswords/mysql.log.data.php ---
<?PHP
$mysql_login="loginname";
$mysql_passw="secretpass";
$mysql_host="localhost";
$mysql_database="mydb";
?>
-- eof ---
Now in your php script that users can surf to
--- ~/public_html/index.php ---
<?PHP
require_once('../mypasswords/mysql.log.data.php');
mysql_connect($mysql_host, $mysql_login, $mysql_passw);
mysql_select_db($mysql_database);
//and so on...
?>
--- eof ---
Even if there would be a misconfiguration, and the PHP engine would be
disabled, and the code is displayed in raw, no one will be able to see the
login/password/host/database in your code, just see to that the user who is
running the web server has the privileges to read the
~/mypasswords/mysql.log.data.php, but don't make the directory publicly
available on the net (no symlinks to the file or directory in your ~/public_html).
--
//Aho
Ya that was fine what J.O told but rather than creating that file in
public_html crate a .conf file in /etc. for the first installation
take the username and password from user and store it in /etc/
proj_name.conf file and in db.connect.php parse it..
Ravi wrote:
Ya that was fine what J.O told but rather than creating that file in
public_html crate a .conf file in /etc. for the first installation
take the username and password from user and store it in /etc/
proj_name.conf file and in db.connect.php parse it..
Read it again. J.O. did not say to create the file in public_html.
And most hosting companies do not allow you to write to /etc. You need
a vps or dedicated server to be able to have write access to that directory.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
>I use PHP and I'd like to not write in hardcoded way password
>and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Now you can create the following file
Thank you for answering me.
I'm shure there is a better way with cript:
DES or SHA, RSA...
Mario.
_mario.lat kirjoitti:
>>I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Now you can create the following file
Thank you for answering me.
I'm shure there is a better way with cript:
DES or SHA, RSA...
Good luck reversing your database password from a one-way hash. :)
-- Ra*********@gmail.com
"Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
_mario.lat wrote:
>>I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Now you can create the following file
Thank you for answering me.
I'm shure there is a better way with cript:
DES or SHA, RSA...
As Elomaa already pointed out, you will have big trouble to decrypt the one
way hashes. You could use rot13 to encode/decode your passwords, it's not much
protection, but at the first glance someone may think it's the plain password,
to the point when they check your script that decodes the password, at which
point they will see the rot13, but that applies all two way encryption, as you
need the decoder in your php script, they will be able to decode your encoded
password without any trouble.
When you use an Unix like system, you can change the password files privileges
and that way protect the password from other persons eyes.
Assuming that your user names is mario and that the apache server is run as
the user apache, then do a "chown mario:apache -R ~/mypasswords" and then
"chmod o-rwd -R ~/mypasswords"
This way only you and the web server can read the file with your password, no
other user except root will be able to read the file.
--
//Aho
On 27 May, 17:56, "_mario.lat" <n...@libero.itwrote:
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Now you can create the following file
Thank you for answering me.
I'm shure there is a better way with cript:
DES or SHA, RSA...
Mario.
IF you use a reversible encryption then the problem still remains that
a password needs to be kept somewhere PHP can read it.
One place to keep the password off the server is at the client end -
and you could have have one database password stored encrypted using
each users password. But you then have the problem of getting the
users password sent securely to the application (not to mention non-
authenticated access).
Jerry Stuckle rightly said:
And most hosting companies do not allow you to write to /etc.
But most do block HTTP access to files beginning with .ht - but these
can be read locally.
So if you can't work with files outside your web root, you can get the
same effect by putting your password in .htppasswd.inc.php and
including that. Although honestly it's not a big gain over including a
php file which is directly addressable and parsed as a php file.
At the end of the day there's no simple solution to ensuring that only
your approved scripts read from your configuration files to get
credentials to access other secure resources. base_open_dir goes a
long way to improving things on a shared server if its done right -
but it doesn't provide any protection if a malicious user can get
their own php code executing on your server.
Suhosin has a lot of interesting bits in in it - like a session
encryptor, but I think that there is potentially a gap in the
marketplace for a trusted php platform.
C.
On Sun, 27 May 2007 18:56:11 +0200, in alt.php "_mario.lat"
<no**@libero.it>
<pa****************************@libero.itwrote:
>| >I use PHP and I'd like to not write in hardcoded way password
| >and login to access to mysql.
| >how to not write password in code for access to mysql?
| >How can I do?
| >I'd like that who see my code don't see my paswords.
| >there is a solution?
| >
| Now you can create the following file
|
| Thank you for answering me.
| I'm shure there is a better way with cript:
| DES or SHA, RSA...
| Mario.
Something that hasn't been discussed is mySQL views.
If you are running mySQL 5+ then you can create a view.
--------------------------------------------------------------- jn******@yourpantsyahoo.com.au : Remove your pants to reply
---------------------------------------------------------------
C. wrote:
On 27 May, 17:56, "_mario.lat" <n...@libero.itwrote:
>>>I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Now you can create the following file
Thank you for answering me.
I'm shure there is a better way with cript:
DES or SHA, RSA...
Mario.
IF you use a reversible encryption then the problem still remains that
a password needs to be kept somewhere PHP can read it.
One place to keep the password off the server is at the client end -
and you could have have one database password stored encrypted using
each users password. But you then have the problem of getting the
users password sent securely to the application (not to mention non-
authenticated access).
Jerry Stuckle rightly said:
>And most hosting companies do not allow you to write to /etc.
But most do block HTTP access to files beginning with .ht - but these
can be read locally.
They block http access to files beginning with .ht only if your
httpd.conf and/or .htaccess stop this access. With neither of the
above, the files can be access.
So if you can't work with files outside your web root, you can get the
same effect by putting your password in .htppasswd.inc.php and
including that. Although honestly it's not a big gain over including a
php file which is directly addressable and parsed as a php file.
Most shared hosts give you access to a directory one level below your
web root. The best place to put the files are in a directory (other
than your web root) off of here. They will still be accessible via PHP,
but not from the web.
At the end of the day there's no simple solution to ensuring that only
your approved scripts read from your configuration files to get
credentials to access other secure resources. base_open_dir goes a
long way to improving things on a shared server if its done right -
but it doesn't provide any protection if a malicious user can get
their own php code executing on your server.
Nothing works if a malicious user gets his php (or any other language)
code running on your server. But with proper security, even a shared
host can prevent others on the same host from executing code in your
area. At that point the most common problem is caused by insecure
userid's/passwords used to upload files, access admin areas, etc.
Suhosin has a lot of interesting bits in in it - like a session
encryptor, but I think that there is potentially a gap in the
marketplace for a trusted php platform.
C.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On May 27, 5:56 pm, "_mario.lat" <n...@libero.itwrote:
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Now you can create the following file
Thank you for answering me.
I'm shure there is a better way with cript:
DES or SHA, RSA...
Mario.
Hello Mario!, i think that maybe you can "confuse" a little the
malicious user doing the following things:
1st: as i readed before, encrypt your password at (for example)
base64:
$user = "mario";
$password = "Y0dGemMzZHZjbVE9"; (the word "password" encrypted at
base64 TWICE, and looks like a plain text passwd)
then, when you want to decrypt it and use it for loggin at some place
of your scripts:
echo base64_decode(base64_decode($password));
or, to confuse the attaker more, you can do the same
$pass_decrypted= base64_decode(base64_decode($password)); <--- but
also encrypted in hex like this..:
echo
"base64_d& #x65;code(ba&#x 73;e64_deco ;de($pass& #x77;ord));";
as doing with echo, when executed, the browser prints the result in
plain text, showing base64_decode(base64_decode($password)), but the
question it's to save the plain text result, in a variable containing
your password decrypted...
I hope this will help you...i just improved this, 'cause i didn't
have time to explore more this(i have to go to work now :( )
Success!!! See u! =)
On May 28, 3:20 pm, Keniobats <freerevolutiont...@gmail.comwrote:
On May 27, 5:56 pm, "_mario.lat" <n...@libero.itwrote:
>I use PHP and I'd like to not write in hardcoded way password
>and login to access to mysql.
>how to not write password in code for access to mysql?
>How can I do?
>I'd like that who see my code don't see my paswords.
>there is a solution?
Now you can create the following file
Thank you for answering me.
I'm shure there is a better way with cript:
DES or SHA, RSA...
Mario.
Hello Mario!, i think that maybe you can "confuse" a little the
malicious user doing the following things:
1st: as i readed before, encrypt your password at (for example)
base64:
$user = "mario";
$password = "Y0dGemMzZHZjbVE9"; (the word "password" encrypted at
base64 TWICE, and looks like a plain text passwd)
then, when you want to decrypt it and use it for loggin at some place
of your scripts:
echo base64_decode(base64_decode($password));
or, to confuse the attaker more, you can do the same
$pass_decrypted= base64_decode(base64_decode($password)); <--- but
also encrypted in hex like this..:
echo
"base64_d& #x65;code(ba&#x 73;e64_deco ;de($pass& #x77;ord));";
as doing with echo, when executed, the browser prints the result in
plain text, showing base64_decode(base64_decode($password)), but the
question it's to save the plain text result, in a variable containing
your password decrypted...
I hope this will help you...i just improved this, 'cause i didn't
have time to explore more this(i have to go to work now :( )
Success!!! See u! =)
sorry, i forgot to put the link i used to convert characters: http://people.w3.org/rishida/scripts...conversion.php
good luck
Keniobats wrote:
1st: as i readed before, encrypt your password at (for example)
base64:
$user = "mario";
$password = "Y0dGemMzZHZjbVE9"; (the word "password" encrypted at
If the user can reed that, then they can read this
echo base64_decode(base64_decode($password));
And know how to decode the password.
--
//Aho
If the user can reed that, then they can read this
To me it somehow seems that the original poster is worried about
someone taking a short look on the code, and being able to read the
password. I understood that there is no need to be able to permanently
obfuscate the password for those who have full access to the code.
If however that is the requirement, you are out of luck. I've never
used Zend's platform products, but they might have some kind of
solution to that. Well, I was just thinking about similar behavior to
Weblogic, where the db passwords are stored and connections created
via manager-software. Something like this could of course be
implemented quite straightforwardly as php-extension, but whether that
would be worth the effort is another issue. So the user doesn't write:
<code>
mysql_connect("server", "username", "pass");
</code>
But rather:
<code>
$MyPlatform::getMysqlConnection("TheConnectionForM ySyStem");
</code>
Or whatever.
--
Jussi
Deep abstraction kills strong typing. http://disczero.com http://view.fi http://naamio.net http://hoffburger.com
On May 27, 11:15 am, "_mario.lat" <n...@libero.itwrote:
hallo,
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Thank you in advance.
Mario.
What is this groups overall view on setting up .htaccess with
something like:
php_value auto_prepend_file /path/to/password/file.php
Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it
yet, though if it never "screws up" I'm inclined to think it is more
secure since the path is hidden even when they can see your scripts.
sundby wrote:
On May 27, 11:15 am, "_mario.lat" <n...@libero.itwrote:
>hallo,
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Thank you in advance.
Mario.
What is this groups overall view on setting up .htaccess with
something like:
php_value auto_prepend_file /path/to/password/file.php
Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it
yet, though if it never "screws up" I'm inclined to think it is more
secure since the path is hidden even when they can see your scripts.
I don't think that will do any change in the security of the password and
login to the sql server, in most cases if a user is able to read the php code,
then they are on the local machine and would as likely be able to read the
..htaccess file and see where the password and login has been stored.
You really get more protection just by setting the right privileges on the
file where the password and login has been stored, just set the file to belong
to the user and the group that the web server is run as (usually
username:apache) and then see to that the file is readable by the web server
(set g+r) and that everyone else don't have any privileges at all (set o-rwx)
and now there is just three users who can read the password/login and it's the
user itself, the web server and root (without SELinux like rules, nothing can
stop root).
Keeping the file outside the "web root" will make that the file won't be
directly accessible by web visitors, this way disabling .htaccess feature in
apache or misconfiguration of the php module won't make the login/password
readable (of course if the user uses something as IIS, then it's possible to
access files outside the "web root", but no sane person would use IIS).
--
//Aho
sundby wrote:
On May 27, 11:15 am, "_mario.lat" <n...@libero.itwrote:
>hallo,
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Thank you in advance.
Mario.
What is this groups overall view on setting up .htaccess with
something like:
php_value auto_prepend_file /path/to/password/file.php
Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it
yet, though if it never "screws up" I'm inclined to think it is more
secure since the path is hidden even when they can see your scripts.
First of all, what good is it going to do you you? If someone can see
your source code, they can see your .htaccess.
Second, why auto-include the file where it's not needed (i.e. pages
where you don't require database access)?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
What is this groups overall view on setting up .htaccess with
something like:
php_value auto_prepend_file /path/to/password/file.php
Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it
yet, though if it never "screws up" I'm inclined to think it is more
secure since the path is hidden even when they can see your scripts.
Why do so in an .htaccess file? Do so in the main apache config.
Besides, I do not think there is much security left if people can see
the source code.
The best way to "protect" the passwords is to make them useless: block
any access from non-known machines (by IP address, for instance).
Best regards,
--
Willem Bogaerts
Application smith
Kratz B.V. http://www.kratz.nl/
On Sun, 27 May 2007 17:15:42 +0800, mario.lat wrote
(in article <pa****************************@libero.it>):
hallo,
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Thank you in advance.
Mario.
well mario , if you understood php , you would understand the answer to your
question.
and don't cross post numb nuts
steve wrote:
On Sun, 27 May 2007 17:15:42 +0800, mario.lat wrote
(in article <pa****************************@libero.it>):
>hallo,
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Thank you in advance.
Mario.
well mario , if you understood php , you would understand the answer to your
question.
and don't cross post numb nuts
I think your response was completely uncalled for. If you *really*
understood PHP and web servers, you would understand things *can go
wrong* - and mario's concern is well founded.
And you'd also understand that cross-posting is much preferred to
multi-posting, numb nuts.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
I don't know if this has been mentioned, but one way you can do it is
to store the passwords in some weird place (outside htdocs/www) and
simply mangle the password.
For example, in some of my python scripts, I load a config file that
contains password for db.
The password might be: red*igloo
But in the config file, it's: 0r05ed**0igloo55
Then, in python: pass =
pass.replace("0","").replace("5","").replace("**", "*")
That's a crude example but you get the idea. Of course, this is NOT
bullet proof if the user can browse your source code and they can
probably figure it out but even if it stops 50% of potential thieves,
it is worth it because it is so easy to do.
Of course, you should make sure you are using a reliable host from a
good company. http://eblarg.com
On May 27, 5:15 am, "_mario.lat" <n...@libero.itwrote:
hallo,
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my code don't see my paswords.
there is a solution?
Thank you in advance.
Mario.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: MLH |
last post by:
I'm supposed to set a password for the MySQL root user. The output of
mysql_install_db instructed me to run the following commands...
/usr/bin/mysqladmin -u root -h appserver password mynwewpasswd...
|
by: Clément Collin |
last post by:
I working on a GIS project, with Access link which just need a little
routine in VBA, but I haven't knowledges in VBA language.
It's very simple, and it looks like that in a TPascal way :
.......
|
by: xiaotom |
last post by:
I want my software to be independant of operation system and databases.
That's why I want to use odbc, and don't want to use MFC.
Here I have some questions to ask:
1. On unix (like sun...
|
by: Pratchaya |
last post by:
Hi, All
Can i write php code to connect 2 MySQL DB. like this case. ?
My Environment :
Server < ---- > PC Client
Server =
|
by: pradeep |
last post by:
how to write antiviirus code using c++
| | |
by: xkp |
last post by:
Hi all,
i just had to install the 5.0 version of mysql.
previously i used an old 3."something" (my server crashed so i dont
remember the precise version).
I used to access mysql database using...
|
by: Ben |
last post by:
I don't know whether anyone can help, but I have an odd problem. I have
a PSP (Spyce) script that makes many calls to populate a database. They
all work without any problem except for one...
|
by: shivapadma |
last post by:
1. i want to write a stored procedure using mysql 5.0.45 version.
2. when i tried with the following code ,i am unable to write
mysql->delimeter//
->create procedure proc(out p1 int)...
|
by: lily86 |
last post by:
i would like to write a system that every time the user using the printer to print, when the user click on the print button user name and password are request after user key in then only the printing...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |
