SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Evangelist
    Join Date
    Jan 2005
    Posts
    502
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Protecting Database passwords

    Hi,
    I was wondering if someone could explain this to me, I have read conflicting opinions on this issue, and was hoping someone could clear it up.
    If I just have all my website php pages, some of which include my database password, located in my publichtml directory on the server, will users be able to access these files and see what my password is?
    Is this the issue that tools such as SourceGuardian protect against, or do they protect against other issues?

    Can please someone explain this to me?

    Thanks
    Mike

  2. #2
    SitePoint Addict
    Join Date
    Feb 2004
    Location
    Netherlands
    Posts
    381
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    User can't access php code on your server since it's server sided.

    It's wouldn't be a problem for you.

  3. #3
    SitePoint Enthusiast
    Join Date
    Jul 2004
    Location
    Sydney, Australia
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Kevin Yank makes the point that that's fine unless for some reason the PHP engine fails in which case the file contents might be passed out as plain text. This is in the PHP/MySQL book from Sitepoint.

  4. #4
    SitePoint Addict
    Join Date
    Feb 2004
    Location
    Netherlands
    Posts
    381
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In real life, when does this happen?

    ah well, I never make it myself hard to code my stuff

  5. #5
    SitePoint Guru MikeBigg's Avatar
    Join Date
    Jun 2004
    Location
    Reading, UK
    Posts
    970
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Sergeant
    In real life, when does this happen?
    This happened to me and a bunch of other people who were on the same badly managed shared hosting server. It is rare, though.

    One thing to do is to put the database connection details and a connection function in a separate file in a folder below html-public. Set permissions on it so that only files on the server can execute it.

    That way even if your php files end up in plain text on someone's browser, they won't be able to access or execute the database code.

    Mike

  6. #6
    SitePoint Zealot ceefour's Avatar
    Join Date
    Feb 2005
    Location
    Bandung, Indonesia
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There are some cases in which the PHP configuration will fail, usually it will display 500 Internal Server Error if you're lucky. If you're not, then it'll display your script, which is very bad. It can happen when the hoster is reconfiguring the server and somehow it's incorrectly done... well, humans do make mistakes. Although it can also be a machine mistake.

    I suggest not putting ANY sensitive files inside your public_html or htdocs, especially the ones that aren't intended to be run directly i.e. included scripts. It's much better, safer, and better design to keep them out of the document root and include them from public scripts.

    By the way, as a side note, you should also make sure that nobody can view the directory index of any of the directories in your document root. Most open source software do this by putting an index.html on EVERY directory that doesn't contain and index.html or index.php. You can disable this feature using Apache's Options -Indexes (default is to enable Indexes) but not everyone has access to Apache's configuration, but you should really be able to use .htaccess otherwise you MUST get another webhoster.

  7. #7
    SitePoint Evangelist
    Join Date
    Jan 2005
    Posts
    502
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks alot guys, that was what I was looking for

  8. #8
    SitePoint Evangelist
    Join Date
    Jan 2005
    Posts
    502
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hey, as to storing the database connection on another directory outside of the public_html directory, could I then just use an include to include the script into my file, such as

    <?php include ../securefolder/databaseconnect.php' ?>

    Would this preserve the security?

    Thanks again guys

    Mike

  9. #9
    SitePoint Addict
    Join Date
    Feb 2004
    Location
    Netherlands
    Posts
    381
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    since the php script wouldn't run if php isn't working. It will not include a thing. So no worries there.

  10. #10
    SitePoint Zealot ceefour's Avatar
    Join Date
    Feb 2005
    Location
    Bandung, Indonesia
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    > <?php include ../securefolder/databaseconnect.php' ?>
    Yeah... that's basically what you want to do.

    As a side note, NEVER use:

    include $_GET['somefile'];

    some applications like old osCommerce does this and that was a HUGE security flaw. And some people still does it even now.

    Also you wouldn't want preg with /e unless under very strict conditions. Look at what happened to phpBB. (My site got hacked once because this phpBB flaw, really got me super-mad)

    I recall there's a "PHP Security consortium" somewhere just announced to provide best practices of PHP in security. Maybe something you want. Do a search on "Planet PHP blog".

  11. #11
    SitePoint Evangelist
    Join Date
    Jan 2005
    Posts
    502
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    once again thanks for all the info guys, cleared it up beautifully

  12. #12
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Brooklyn, NY
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ceefour
    I recall there's a "PHP Security consortium" somewhere just announced to provide best practices of PHP in security.
    http://phpsec.org/

    Hope that helps.
    Chris Shiflett
    http://shiflett.org/


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •