SitePoint Sponsor

User Tag List

Results 1 to 17 of 17
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2001
    Location
    London
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is MySql /PHP safe?

    I was wondering whether the intial connection to a database using
    PHP Code:
    mysql_connect("database""user""password"); 
    is safe since you are sending your password over an unprotected channel without encryption.
    -- | StEaLThEn |--

  2. #2
    SitePoint Enthusiast
    Join Date
    Oct 2001
    Location
    London
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I mean:
    PHP Code:
    mysql_connect("host""user""password"); 
    -- | StEaLThEn |--

  3. #3
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't think you're sending it over an unprotected channel... Well i'm not.. I use it on my localhost therefor it doesn't leave the server or atleast I don't think it does.. How every you request a php file unless your logged on to the server using ftp or telnet the server will not echo that information so if you request a php for downloading you will only get the output of the script not the source of the script..

    Greets

    Peanuts
    the neigbours (free) WIFI makes it just a little more fun

  4. #4
    SitePoint Enthusiast
    Join Date
    Oct 2001
    Location
    London
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Umm... Ok in your case you are only using MySql for your pesonal purpose but what if your have a host which is not running in your computer and you want to use their facilities? You would have to program a webpage to send to your host your data... Hence "host", "user" "password"
    -- | StEaLThEn |--

  5. #5
    SitePoint Guru
    Join Date
    Jan 2001
    Location
    Alkmaar, Netherlands
    Posts
    710
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    u can use secure telnet client, connect to ur webhost and edit ur password there safely.

  6. #6
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by stealthen
    Umm... Ok in your case you are only using MySql for your pesonal purpose but what if your have a host which is not running in your computer and you want to use their facilities? You would have to program a webpage to send to your host your data... Hence "host", "user" "password"
    Then either as mentioned by sylow you use SSH (secure shell) to "telnet" to the database or you have you php on the same server then when you send information to the php pages they will locally connect en send the stuf to the database..

    Then there is a risk that you use ftp to put the php on the server and somebody logs that... but that is an ftp risk and not a php / MySQL risk and that is fixable when you put one connection file on the server edit it through SSH and use that to connect to the database... By the way if you have a good setup on the server there is no real risk in that either because then the database will only listen to commands from the localhost but that is a different matter altogther..
    the neigbours (free) WIFI makes it just a little more fun

  7. #7
    SitePoint Addict rwar's Avatar
    Join Date
    Sep 2001
    Location
    PF / RS / BR
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What about sniffers? Have you guys heard this issue?

    I have tested some ones (linux), but I don't know about Windows.
    php? mysql? apache? That's it.

  8. #8
    SitePoint Enthusiast spoorw8er's Avatar
    Join Date
    Oct 2001
    Posts
    56
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Guys,

    The risk is not only limited to the small time-period where in you transfer your scripts to/from the script-host (using secure connections can already help you here) or the moment your script connects to the database-host.

    The fact that a db-account and password are available somewhere on a server in a clear text form is always a security risk.
    Although the webserver/interpreter combination should normally protect your script-code against exposure, it is possible to circumvent this (systems can fail you know).

    That said it is important to realize you can never avoid risk (no system is water-tight), the best you can do is minimize the risk (prevention) and prepare for security breaches (detection and response).

    In your example, at a minimum you should always avoid the use of the database-root account in your application. Instead create a database operator that only has limited rights in your database and use this one in your app. Think very carefully about the minimum rights on a table by table basis, granting only those rights to the database-operator account that are necessary for the application to provide the normal user-oriented functionality (if users have no need to update table X, then don't grant that right to the database-operator account).
    If you also have an admin-part in your application, then have your scripts for these admin-functions ask you the db-account and password specifically (and make them use a secure connection such as SSL ofcourse), never hardcode the root-account and password into your scripts.
    In this way, if someone succeeds in grabbing the operator account, e will only have limited rights on your db.

    Ofcourse this does not mean that person will not be able to expand on that, e will, but it might take some time to do this and will leave some activity trace.

    Which brings us to the second part of security: detection. Have some sort of logging facility, track what is happening on your site.

    Thirdly, respond promptly to unusual activity. Check the logs regularly for (or establish an automatic notification of) unusual activity. You might get some false alarms, but compared to the cost of an undetected intrusion this is peanuts.

    And most importantly: security comes at a price. Think about how much security is worth to you. If you are talking about your personal home page, I wouldn't bother too much about it. If you're talking about a business-critical application where a security-breach might mean loss of sales, invest a lot in it.

    Hope this helps....
    Last edited by spoorw8er; Oct 25, 2001 at 05:56.

  9. #9
    SitePoint Enthusiast
    Join Date
    Oct 2001
    Location
    London
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wisely spoken spoorw8er.

    However I am still not sure how we can set permissions and create a user specifically for webpages applications since you don't usually have access to your host's MySql table of privileges.

    If we did have access to it it would be easy !

    Well, for a matter of interest I would like know if the webmasters here use their own passwords (i.e the same that they use for ftp transfer) or they have different ones for webpage apps.

    To understand the question.
    Think of a members' area where a user is just signing up to become a member. Now, to send his/her data do your database do you use your root password in mysql_connect("host", "user", "password")?
    -- | StEaLThEn |--

  10. #10
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should not store passwords in web accessible files, if your server messes up it might not compile a script and will send the source code to the browser. Make a config file containing your username and password variables and store it in a non web accessible directory

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  11. #11
    SitePoint Enthusiast scottyparks's Avatar
    Join Date
    Apr 2001
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ""Is MySql /PHP safe?"
    Answers: No, one timeit tried to hurt me! haha just a funny joke to liten up the forums.

  12. #12
    SitePoint Enthusiast
    Join Date
    Oct 2001
    Location
    London
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    scottyparks you be registering your new domain for your website
    -- | StEaLThEn |--

  13. #13
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by spoorw8er
    notification of) unusual activity. You might get some false alarms, but compared to the cost of an undetected intrusion this is peanuts.
    Hey!!!! Wasn't me!!!!
    the neigbours (free) WIFI makes it just a little more fun

  14. #14
    Free your mind Toly's Avatar
    Join Date
    Sep 2001
    Location
    Panama
    Posts
    2,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As Seanf mentioned, you should not store usernames and passwords in web documents, instead create a function that connects to the database and store it in an include file and then use it in every page you need to connect to the database.

    Something like:

    include("database.php")

    All include files must be stored in a folder outside the public_html or www directory, that way no one will see your password if something happens to the server.
    Last edited by Toly; Oct 26, 2001 at 05:42.
    Community Guidelines | Community FAQ

    "He that is kind is free, though he is a slave;
    he that is evil is a slave, though he be a king." - St. Augustine

  15. #15
    SitePoint Enthusiast
    Join Date
    Oct 2001
    Location
    London
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh, ok.

    Toly and Seanf that is exactly what I wanted to know.

    Appreciate everyone's help.

    -- | StEaLThEn |--

  16. #16
    SitePoint Addict rwar's Avatar
    Join Date
    Sep 2001
    Location
    PF / RS / BR
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi, Stealthen.

    See the site below:

    http://hotwired.lycos.com/webmonkey/...tw=programming

    It has a good example on what (I think) you are looking for...
    php? mysql? apache? That's it.

  17. #17
    SitePoint Enthusiast
    Join Date
    Oct 2001
    Location
    London
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That is excelent!!!

    Thanks rwar!

    -- | StEaLThEn |--


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •