Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

php/mysql security

  • 04-03-2006 9:22pm
    #1
    Closed Accounts Posts: 975 ✭✭✭


    How do you guys protect your mysql connection strings? The idea of having mysql login and password in a php file which might get served a plain text if apache went south is worrying.


    On my own server I put the connection string in a file above the httpdocs directory and modify apache and php config files so I can include the conection string.

    I am currently working on a site which only has ftp access to the document root and I can't do this. The idea of leaving the username and password in the php file terrifies me. What do you guys do?


Comments

  • Closed Accounts Posts: 169 ✭✭akari no ryu


    I'm not sure what your problem is. The only way someone can access your password and username is if they vi (or nano or something) the php file with said connection details. Which means they'd need to be sshed into your account, so it doesn't really matter where you put them. This happens no matter what language you'r eusing to connect to your database, they all have the same vulnerability.

    I use ADODB. It's very easy to configure, it creates a connection object which you use as needs be. There's only one file with the username and password in it.


  • Closed Accounts Posts: 975 ✭✭✭squibs


    The problem is if apache gets messed up it could serve the php file as plain text - along with sql login credentials. ADOdb is grand when it's supported, but if you are on a shared hosting package and it isn't supported, you're goosed.


  • Closed Accounts Posts: 169 ✭✭akari no ryu


    squibs wrote:
    The problem is if apache gets messed up it could serve the php file as plain text - along with sql login credentials.
    If you put your config.php into a folder protected by a htaccess file, then if apache gets fubared, the script will return text with an include to a folder protected by htaccess.
    squibs wrote:
    ADOdb is grand when it's supported, but if you are on a shared hosting package and it isn't supported, you're goosed.
    Why wouldn't it be supported?
    You just stick it into a folder and include it where neccessary.


  • Registered Users, Registered Users 2 Posts: 6,570 ✭✭✭daymobrew


    If you put your config.php into a folder protected by a htaccess file, then if apache gets fubared, the script will return text with an include to a folder protected by htaccess.
    Agreed - on sourceforge.net I put my database passwords in the directory above 'htdocs' so it will never be returned by apache.


  • Closed Accounts Posts: 975 ✭✭✭squibs


    Agreed - on sourceforge.net I put my database passwords in the directory above 'htdocs' so it will never be returned by apache.

    This is what I do on my virtual server,but on most shared hosting packages apache and php are configured to only serve php files from the document root, so this isn't an option. Might try the .htaccess trick though.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 144 ✭✭Sidane


    squibs wrote:
    This is what I do on my virtual server,but on most shared hosting packages apache and php are configured to only serve php files from the document root, so this isn't an option. Might try the .htaccess trick though.

    Correct me if I'm misunderstanding the problem, but your common include files don't have to be in the document root directory to be parsed.

    As long as you have access to the directory above your public_html/document root directory, you can bang your php config files in there and include them in your public_httml php files and the PHP interpreter will still parse them.


  • Subscribers Posts: 9,716 ✭✭✭CuLT


    chmod 700 config.php

    problem solved.

    Sidane, if you read his first post, he only has access to the doc root, nothing above.


Advertisement