PHP/MySQL Secuirty Threat

I was thinking about something...

Okay, listen up: Everyone hopefully already puts their mysql password in a include file and includes that instead of just using it in their mysql connect statement. That way if php crashes and your php source is displayed, no one will see your password. Right?

Well, if your php crashes and people see your source, they will just see the name of the include file, and would be able to connect to your database using that include file...even if they dont actually know your password.

Isn't this still a security threat?

Quote:

---

If php crashes and your php source is displaye

---

That doesn't happen...

Quote:

---

be able to connect to your database using that include file...even if they dont actually know your password.

---

How would they do that???

If they get the file then the only way to log into MySQL using that Username and Password is to upload a file or login to your server using Telnet or SSH both of which would require the user to have your account info (which hopefully isn't the same as your MySQL info) :D

Furthermore in the slight case they did find the name of your include file, you should be storing your include files outside the webroot

Actually, you could just go mysql_connect(http://sitepoint.com, username, password) or wahtever the command is

and then go include(http://www.sitepoint.com) bla bla

but freddydoesphp is right. If your storing it outside your web dir. it wont matter.

I was thinking, what would be good, is an "encryption" system for php, like CF. Only problem is it will only keep the inexperienced from viewing the code, because like CF decryptors will come along soon enough.. still worth considering though?

What...?

Are you saying you would be able to view the source code...?

No if your server is configured to parse .*** as php then php will not give up its code, I am talking on unix here, I know that there are ways and means to grab ASP code from NT etc, but thats more of a platform/server issue.

Make sure that your server parses .inc files as php or rename your .inc's to .php/.htm or whatever and your code is pretty safe, outside of the root even better.

I think what he is getting at is that if you run the CGI version of PHP and it fails to parse the PHP then you would be able to see the actual PHP code and if you included a password file e.g. Your database log on details, in your page they would be able to see where it was stored and if the file was under the web accessible folder they would be able to read it - Which is why like freddy mentioned it is a good idea to keep password files outside web accessible folders for security reasons.

As far as I know if you run the module versino of Apache it will not fail to process the PHP in the same way, because if it fails to process the PHP then there is a good chance that the error would have caused Apache to stop serving the pages as well.

Quote:

---

Originally posted by Karl
I think what he is getting at is that if you run the CGI version of PHP and it fails to parse the PHP then you would be able to see the actual PHP code and if you included a password file e.g. Your database log on details, in your page they would be able to see where it was stored and if the file was under the web accessible folder they would be able to read it - Which is why like freddy mentioned it is a good idea to keep password files outside web accessible folders for security reasons.

As far as I know if you run the module versino of Apache it will not fail to process the PHP in the same way, because if it fails to process the PHP then there is a good chance that the error would have caused Apache to stop serving the pages as well.

---

THANK YOU, that was EXCACTLY what I was saying, you nailed it on the head. I see some karma points for you... :)