Results 1 to 6 of 6

Thread: MySQL security and PHP

  1. #1
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670

    Question MySQL security and PHP

    I'm running a website that pulls most of its data from a MySQL database. To connect to that database, I have to use the standard PHP connect method that looks something like this:

    function db_connect()
    {
    $result = @mysql_pconnect("localhost", "username", "auth");
    if (!$result)
    return false;
    if (!@mysql_select_db("my_table"))
    return false;

    return $result;
    }

    This function must be in a file that is readable by the http server so that it is executable by the website. This function also displays the username and password in plain text for all to see. Does anyone know of a better way I can protect that username and password? I can't imagine that big sites that use a database (like eBay or Amazon) have to use this method!
    /* You are not expected to understand this. */

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    If I'm understaning waht you are asking this link should help http://www.onlamp.com/pub/a/php/2001...pt.html?page=1
    its a tutorial on doing just what you are talking about I think
    Who is more trustworthy then all of the gurus or Buddha’s?

  3. #3
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Actually, I don't know of a way to view PHP source code from a web browser, so I'm not too worried about people snooping with a browser. I'm more concerned about the physical file that the PHP function is stored in being compromised by other users on the system. The file and directory to that file must be readable by the web server so web browsers can access it. I suppose I could really clamp down the permissions on the PHP file so that ONLY the web server account can read the file, but I still feel wary having my password there in plain text. I wonder if there's any kind of encryption/decryption scheme I could use to decrypt the password before using it in the function. Any ideas?


    <edit>
    Ah! The link you gave bballad was exactly what I was looking for. I had forgotten that PHP can use the standard HTTP/AUTH variables internally. With that, I can actually use the web-login as the database login, too. I don't have to have any login information in my files, I just have to add a dozen new users to the database. Awsome! Thanks!
    </edit>
    /* You are not expected to understand this. */

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    The problem is with mysql, you have to send the password via plan text, lame I know but I'm not aware of a work around.

    A work around (I'm guessing you are using linux) to protect the file would be to have the file owend not the user that runs the web server Eg lets say root. Then give the file 001 which would mean that it can only be executed not read or writen too. (unless root chages the right). This not even the web sever can read the file, it can only execute it!!!!!

    Hope this helps SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Read the article, you can store encrypted plain text in the db, and so without the key what’s pulled out of the mysql db looks like garbage to anyone else. Of course this is only as secure as the encryption method you use..

  6. #6
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Actually, I can get around the password travelling over the net in plain text, too. Simply route the entire transaction through a secure server. I don't know that this measure is warranted for my uses, but if you needed total security, that would be the way to go. Thanks everyone.
    /* You are not expected to understand this. */

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •