SitePoint Sponsor

User Tag List

Results 1 to 10 of 10

Hybrid View

  1. #1
    SitePoint Wizard jumpthru's Avatar
    Join Date
    Apr 2000
    Location
    Los Angeles, California
    Posts
    1,008
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was thinking about something...

    Okay, listen up: Everyone hopefully already puts their mysql password in a include file and includes that instead of just using it in their mysql connect statement. That way if php crashes and your php source is displayed, no one will see your password. Right?

    Well, if your php crashes and people see your source, they will just see the name of the include file, and would be able to connect to your database using that include file...even if they dont actually know your password.

    Isn't this still a security threat?

  2. #2
    SitePoint Enthusiast JohnM's Avatar
    Join Date
    Dec 2000
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If php crashes and your php source is displaye
    That doesn't happen...

    be able to connect to your database using that include file...even if they dont actually know your password.
    How would they do that???

  3. #3
    chown linux:users\ /world Hartmann's Avatar
    Join Date
    Aug 2000
    Location
    Houston, TX, USA
    Posts
    6,455
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    If they get the file then the only way to log into MySQL using that Username and Password is to upload a file or login to your server using Telnet or SSH both of which would require the user to have your account info (which hopefully isn't the same as your MySQL info)

  4. #4
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Furthermore in the slight case they did find the name of your include file, you should be storing your include files outside the webroot
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  5. #5
    SitePoint Wizard jumpthru's Avatar
    Join Date
    Apr 2000
    Location
    Los Angeles, California
    Posts
    1,008
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually, you could just go mysql_connect(http://sitepoint.com, username, password) or wahtever the command is

    and then go include(http://www.sitepoint.com) bla bla

    but freddydoesphp is right. If your storing it outside your web dir. it wont matter.

  6. #6
    SitePoint Evangelist
    Join Date
    Jul 2000
    Location
    Warwickshire, England
    Posts
    557
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was thinking, what would be good, is an "encryption" system for php, like CF. Only problem is it will only keep the inexperienced from viewing the code, because like CF decryptors will come along soon enough.. still worth considering though?

  7. #7
    SitePoint Wizard jumpthru's Avatar
    Join Date
    Apr 2000
    Location
    Los Angeles, California
    Posts
    1,008
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What...?

    Are you saying you would be able to view the source code...?

  8. #8
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No if your server is configured to parse .*** as php then php will not give up its code, I am talking on unix here, I know that there are ways and means to grab ASP code from NT etc, but thats more of a platform/server issue.

    Make sure that your server parses .inc files as php or rename your .inc's to .php/.htm or whatever and your code is pretty safe, outside of the root even better.

  9. #9
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think what he is getting at is that if you run the CGI version of PHP and it fails to parse the PHP then you would be able to see the actual PHP code and if you included a password file e.g. Your database log on details, in your page they would be able to see where it was stored and if the file was under the web accessible folder they would be able to read it - Which is why like freddy mentioned it is a good idea to keep password files outside web accessible folders for security reasons.

    As far as I know if you run the module versino of Apache it will not fail to process the PHP in the same way, because if it fails to process the PHP then there is a good chance that the error would have caused Apache to stop serving the pages as well.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  10. #10
    SitePoint Wizard jumpthru's Avatar
    Join Date
    Apr 2000
    Location
    Los Angeles, California
    Posts
    1,008
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Karl
    I think what he is getting at is that if you run the CGI version of PHP and it fails to parse the PHP then you would be able to see the actual PHP code and if you included a password file e.g. Your database log on details, in your page they would be able to see where it was stored and if the file was under the web accessible folder they would be able to read it - Which is why like freddy mentioned it is a good idea to keep password files outside web accessible folders for security reasons.

    As far as I know if you run the module versino of Apache it will not fail to process the PHP in the same way, because if it fails to process the PHP then there is a good chance that the error would have caused Apache to stop serving the pages as well.
    THANK YOU, that was EXCACTLY what I was saying, you nailed it on the head. I see some karma points for you...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •