SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Hybrid View

  1. #1
    SitePoint Member
    Join Date
    Sep 2000
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have a client that brought to my attention a very interesting problem.

    If he has a website (www.domain.com) and he has a php page on it (order.php) that connects to the database. He has the user and pass in the page.

    ok.

    This is a linux server.

    It seems that another person on the server could just figure out what directory he is in.

    Then just do "vi order.php"

    so they could read the user and pass and then connect to the database and steal information.

    or even steal the scripts

    I hope I explained this ok.

    Does anybody have a solution to this?

    I sure hope so.

    Visit http://phphost@mybizhosting.com for great deals
    Visit http://sitepoint@mybizhosting.com for LIVE SUPPORT, PHP, MySQL, JSP/Servlets, Control Panel, Instant Setup, and great Prices!

  2. #2
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    He should chmod the file so that only he and the root user (which presumably is running the Web server) can read the file.
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  3. #3
    SitePoint Member
    Join Date
    Dec 2000
    Location
    Poland
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am a total newbie so I can give you only a simplest tips:

    1. The httpd (Apache) runs on "root" level but all processes which are serving for connections run on "nobody" level (default setting) and the PHP script must be readable for that user.

    2. Never put a mysql_connect() call directly in your PHP script, because if the PHP module accidentialy stops working your script will be sent to a user's browser (and your password too). To avoid it use the include() function in PHP and put this included script in the directory not available for browsing, ie. outside the html root directory), eg. :

    <?php
    ...
    include("../classified/MySQL_access.inc");
    ...
    mysql_query($sql,$db);
    ...
    ?>

    This solution is recommended in the php or MySQL manual. I assumed that your script is in the html root directory.

    3. Then you can restrict the "classified" directory and all files into it to only the "nobody" user and it should made the trick. Even if another user read your PHP scripts it would be unable to find your MySQL password. Check if the "nobody" account has set up password (you don't need to know it if it is set up by default to some random string).

    Regards
    Chris


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •