SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict thoresson's Avatar
    Join Date
    Dec 2002
    Location
    Gothenburg, Sweden
    Posts
    255
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    web site security: how to hide login info for mysql-connection

    Hi,

    At the moment I store username, password and database for my MySQL connections in a file called settings.php to avoid putting them in my php files direct. On a Linux server, what extra steps can I take to prevent others from accessing settings.php?

    Somewhere, I've read that settings.php should be placed in a directory outside the html/php-directories. Today, my web directory is /home/anders/public_html and subdirectories to public_html. Should settings.php be placed in /home/anders/include?

    What settings should /include have?

    //Anders

  2. #2
    SitePoint Wizard Mike Borozdin's Avatar
    Join Date
    Oct 2002
    Location
    Edinburgh, UK
    Posts
    1,743
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do you mean by others?
    Visitors of your site CAN'T see that file, don't worry baout them.

  3. #3
    SitePoint Zealot
    Join Date
    Feb 2003
    Posts
    156
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi thoresson,

    basically you said everything yourself. Include files, should go in a directory 'above' the document root. This is in case the webserver is running, but the php interpreter gets crooked resulting in plain-files being served. And also to avoid someone calling those included files directly to mess with uninitialized variables. Yes, of course there are ways around the latter, but experience shows that the more possibilities there are for mistake, the more are being made.

    The permission-settings on your include directory (if it outside the webservers directory root) depends on the configuration of your webserver.
    However it is something that your host should make sure, that nobody (on the same server) can access those files. Someone from outside the server will not have any way to access those files (except through holes that you left on your own files that are in the doc-root).

    To make a long story short: Put include-files outside the doc-root, you should not have to worry about permissions on the include directory.

  4. #4
    SitePoint Addict thoresson's Avatar
    Join Date
    Dec 2002
    Location
    Gothenburg, Sweden
    Posts
    255
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by R. U. Serious
    To make a long story short: Put include-files outside the doc-root, you should not have to worry about permissions on the include directory.
    It was a long time ago I started this thread, but I never really got it the last time:

    If my home catalog is /home/thoresson and /home/thoresson/public_html is for html/php, putting passwords and usernames in a file in /home/thoresson/include should be safe, as long as I set the correct access rights for the /home/thoresson/include directory? What should this be on a SunOS server?

    Is it just about the access rights for the directory, or should the access rights for /home/thoresson/include/mysql.inc be set in a certain way as well?

    //Anders

  5. #5
    SitePoint Addict Chillijam's Avatar
    Join Date
    Nov 2003
    Location
    England
    Posts
    293
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have access to your webserver's config, I would configure it to not server files with a .inc extension. In Apache, you can set the folllowing in httpd.conf.

    Code:
    <Files *.inc>
        Order allow,deny
        Deny from all
    </Files>
    With this set, even if you screw up really badly and copy your files to your web-root, your webserver won't server them directly.
    Your mind is like a parachute. It works best when open.
    (HH The Dalai Lama)

  6. #6
    SitePoint Evangelist N9ne's Avatar
    Join Date
    Aug 2002
    Location
    UK
    Posts
    596
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    However, couldn't someone on the same server (if they knew this file existed, and its location) just use an include() ?

    They could just
    include('/full/path/to/include/folder/settings.php');

    Or I think possibly even just use highlight_file(...) to get nice colouring too .

  7. #7
    SitePoint Addict Chillijam's Avatar
    Join Date
    Nov 2003
    Location
    England
    Posts
    293
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by N9ne
    However, couldn't someone on the same server (if they knew this file existed, and its location) just use an include() ?

    They could just
    include('/full/path/to/include/folder/settings.php');

    Or I think possibly even just use highlight_file(...) to get nice colouring too .
    Yes, they could. They could also do things like...

    PHP Code:

    highlight_file
    (/etc/passwd);
    highlight_file(/etc/httpd/conf/httpd.conf); 
    so I'm not sure it is worth worrying about too much.
    Your mind is like a parachute. It works best when open.
    (HH The Dalai Lama)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •