-
April 1st, 2003, 09:52 PM
#1
MySQL security and PHP
I'm running a website that pulls most of its data from a MySQL database. To connect to that database, I have to use the standard PHP connect method that looks something like this:
function db_connect()
{
$result = @mysql_pconnect("localhost", "username", "auth");
if (!$result)
return false;
if (!@mysql_select_db("my_table"))
return false;
return $result;
}
This function must be in a file that is readable by the http server so that it is executable by the website. This function also displays the username and password in plain text for all to see. Does anyone know of a better way I can protect that username and password? I can't imagine that big sites that use a database (like eBay or Amazon) have to use this method!
/* You are not expected to understand this. */
-
April 1st, 2003, 10:12 PM
#2
If I'm understaning waht you are asking this link should help http://www.onlamp.com/pub/a/php/2001...pt.html?page=1
its a tutorial on doing just what you are talking about I think
Who is more trustworthy then all of the gurus or Buddha’s?
-
April 1st, 2003, 11:12 PM
#3
Actually, I don't know of a way to view PHP source code from a web browser, so I'm not too worried about people snooping with a browser. I'm more concerned about the physical file that the PHP function is stored in being compromised by other users on the system. The file and directory to that file must be readable by the web server so web browsers can access it. I suppose I could really clamp down the permissions on the PHP file so that ONLY the web server account can read the file, but I still feel wary having my password there in plain text. I wonder if there's any kind of encryption/decryption scheme I could use to decrypt the password before using it in the function. Any ideas?
<edit>
Ah! The link you gave bballad was exactly what I was looking for. I had forgotten that PHP can use the standard HTTP/AUTH variables internally. With that, I can actually use the web-login as the database login, too. I don't have to have any login information in my files, I just have to add a dozen new users to the database. Awsome! Thanks!
</edit>
/* You are not expected to understand this. */
-
April 1st, 2003, 11:21 PM
#4
The problem is with mysql, you have to send the password via plan text, lame I know but I'm not aware of a work around.
A work around (I'm guessing you are using linux) to protect the file would be to have the file owend not the user that runs the web server Eg lets say root. Then give the file 001 which would mean that it can only be executed not read or writen too. (unless root chages the right). This not even the web sever can read the file, it can only execute it!!!!!
Hope this helps SittingDuck
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
-
April 1st, 2003, 11:46 PM
#5
Read the article, you can store encrypted plain text in the db, and so without the key what’s pulled out of the mysql db looks like garbage to anyone else. Of course this is only as secure as the encryption method you use..
-
April 1st, 2003, 11:59 PM
#6
Actually, I can get around the password travelling over the net in plain text, too. Simply route the entire transaction through a secure server. I don't know that this measure is warranted for my uses, but if you needed total security, that would be the way to go. Thanks everyone.
/* You are not expected to understand this. */
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|