SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    SitePoint Addict operator's Avatar
    Join Date
    Aug 2004
    Location
    Bangkok
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is my database password really safe in an includes directory?

    I am about to upload my first database driven website. I've created an includes directory, and inside it, I've placed a php file that is used to connect to the MySQL database. Is this db.php file secure enough like that, or are there other measures I should take to ensure my database password is safe?

    Thanks.

  2. #2
    SitePoint Zealot
    Join Date
    Aug 2004
    Location
    Madison, WI
    Posts
    191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    safest bet is to put the file above the site root...that will make it pretty tough to get to

  3. #3
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's safe, PHP source code cannot be accessed unless the person can download the file off your server.

  4. #4
    SitePoint Addict operator's Avatar
    Join Date
    Aug 2004
    Location
    Bangkok
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The highest I can go is my domain name. Below that I have htpasswds, etc, mail, tmp, www, and so on. Do you mean I should place create a folder up here (on the same level as the www folder)?

  5. #5
    SitePoint Zealot
    Join Date
    Aug 2004
    Location
    Madison, WI
    Posts
    191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    let's say that http://www.example.com loads /var/www/public_html/index.php

    i would make a directory /var/www/includes/ and throw the file in there. that way there is no way the file can be accessed through the web.

  6. #6
    SitePoint Addict operator's Avatar
    Join Date
    Aug 2004
    Location
    Bangkok
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a lot so far. Another question though: I have also created an admin section to use to update the website. All the files for the admin section are placed in a folder called admin. So if I place the admin folder up there where I've securely placed my includes folder, it should be safe, right? Sounds logical, but I'd like to hear opinions from those more experienced than I. Thanks a lot guys/gals!

  7. #7
    SitePoint Addict
    Join Date
    Nov 2001
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jinkas
    that way there is no way the file can be accessed through the web.
    Save for a directory transversal vulnerability. Gotta be careful with any script that accesses a file.

  8. #8
    SitePoint Addict operator's Avatar
    Join Date
    Aug 2004
    Location
    Bangkok
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by shakin
    directory transversal vulnerability
    Uh oh, I don't like the sound of that!

  9. #9
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    People won't hack your site and get that info by entering a url into their web-browser. It's only when you allow variable input into an include(_once) or a require(_once) that the problems start. Don't worry about it !

  10. #10
    SitePoint Member
    Join Date
    Mar 2002
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by operator
    Thanks a lot so far. Another question though: I have also created an admin section to use to update the website. All the files for the admin section are placed in a folder called admin. So if I place the admin folder up there where I've securely placed my includes folder, it should be safe, right? Sounds logical, but I'd like to hear opinions from those more experienced than I. Thanks a lot guys/gals!
    Putting the admin folder above the document root will stop you from being able to access it. It will need to be inside the root site root folder (usually public_html) to be accessed from a web browser. However, I would recommend you protect the admin folder with a .htaccess file.

  11. #11
    SitePoint Addict operator's Avatar
    Join Date
    Aug 2004
    Location
    Bangkok
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for all the help so far.
    I think I've got it sorted out. How does this sound?:
    I uploaded my admin folder to my webspace, and then used Protect Directory in the Cpanel to assign a password. My question: Is this the same as manually adding/editing the htaccess and htpasswd files? If not, is it secure?

    Another quick question, if I may: If I put my includes directory above my site root, how do I link to my included files? Right now I'm using this:

    include $_SERVER['DOCUMENT_ROOT'] . '/includes/db.inc.php';

    What should I replace this with, if I the includes folder is above the root?

    ad(thanks)vance,
    Mark

  12. #12
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey Mark, as I said above, there are hundreds of commercial scripts that keep the config info for a mysql database within the public sector. Take vBulletin for example. Look at OT forums, even they have their mysql config file available for people to open with their browser:

    http://forums.offtopic.com/includes/config.php

    There's no way people can read the contents of that file via their browser. Don't worry about all these extra security measures including .htaccess. If someone were to get into that file it would be either by hacking your server and then they'd have access to everything, or like I said above, when you allow variable input to an include or a require and don't cleanse the incoming request variable which is being passed to the function. Even then a .htaccess won't protect you as the require is being done server-side which'll in turn ignore any .htaccess file

  13. #13
    SitePoint Addict operator's Avatar
    Join Date
    Aug 2004
    Location
    Bangkok
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dean, youda man! Your help is appreciated! Thank you.

  14. #14
    SitePoint Addict operator's Avatar
    Join Date
    Aug 2004
    Location
    Bangkok
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Btw, I took a look at your site just now. I love the clean, crisp appearance. Nice!

  15. #15
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thankyou sir Your kind words are much appreciated.

  16. #16
    Non-Member coo_t2's Avatar
    Join Date
    Feb 2003
    Location
    Dog Street
    Posts
    1,819
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Dean C
    Hey Mark, as I said above, there are hundreds of commercial scripts that keep the config info for a mysql database within the public sector. Take vBulletin for example. Look at OT forums, even they have their mysql config file available for people to open with their browser:

    http://forums.offtopic.com/includes/config.php

    There's no way people can read the contents of that file via their browser. Don't worry about all these extra security measures including .htaccess. If someone were to get into that file it would be either by hacking your server and then they'd have access to everything, or like I said above, when you allow variable input to an include or a require and don't cleanse the incoming request variable which is being passed to the function. Even then a .htaccess won't protect you as the require is being done server-side which'll in turn ignore any .htaccess file
    If something gets screwed up with the server configuration that causes the PHP code to not be parsed, the PHP file could be served in plain text format.

    --ed


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •