Need help protecting contents of a file

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
CyberSpatium
Forum Newbie
Posts: 21
Joined: Thu Mar 20, 2003 12:23 pm
Contact:

Need help protecting contents of a file

Post by CyberSpatium »

Hello there.. I am setting up a PHP script for a site on my server. One of the files in that script, config.inc.php contains this code:

Code: Select all

<?php
# setup database
   $host = “localhost”;
   $user = “username”;
   $pass = “password”;
   $db =  “database”;
?>
This config.inc.php contains the info needed to connect to MySQL. On my website however, the same userid and password used to login to MySQL is also the same userid and password to login to my websites control Enism Control Panel to admin the website.

So, all someone has to do is save this file to their HD using a web coping software, then open the file, get my login userid and pass, and goto http://www.mydomain.com/admin , and they can get into my control panel for the site. I have had this done before. Someone used a website copying software, copied everything off my website, got my userid and password and was able access my site. So, I am trying to hide or protect this info to keep it safe.

I have tried placing the file with the login info outside of my websites webroot, but I cannot get PHP to read files outside of the webroot.

I have placed the file in “c:/php/incudes” and added that to the “include_file” setting in my php,ini file, and then tried to include the file in my scripts and that did not work.

I tried to encode my file with the Zend Encoder, but when I tried to install Zend Optimizer, I could not get it to work on my Windoze2k3 system.

How can I protect my login info yet still be able to use it in my scripts? Any ideas?

Thanks in advance…
CyberSpatium
leebo
Forum Commoner
Posts: 44
Joined: Sun Oct 20, 2002 9:49 am

Post by leebo »

Try http://www.websitecreations.co.nz/codelock/ they have a solution which would work for you
Abyss
Forum Newbie
Posts: 1
Joined: Sun Oct 19, 2003 9:00 am

Using apache to protect your dir

Post by Abyss »

Wouldn't it be easier to to just make the dir private threw the apache.conf, this is taken from mine apache.conf

<directory "D:/phpdev/www/config/">
AllowOverride None
Order allow,deny
Allow from localhost 127.0.0.1
</directory>

but this will only work if have physical access to the machine.

:?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

and if your webserver is configured to handle php-scripts the clients won't see the source code at all
CyberSpatium
Forum Newbie
Posts: 21
Joined: Thu Mar 20, 2003 12:23 pm
Contact:

Post by CyberSpatium »

Wouldn't it be easier to to just make the dir private threw the apache.conf, this is taken from mine apache.conf
I already have Zend Encoder, so dont want to pay for another encoder program to encode only one file... know of anything else that might work?
Wouldn't it be easier to to just make the dir private threw the apache.conf, this is taken from mine apache.conf
I have Windows 2003 server not Apache... thanx anyhow...
volka wrote:and if your webserver is configured to handle php-scripts the clients won't see the source code at all
yes, it is handled to run php scripts, but if someone uses a website copying software and downloads my scripts, they can then open up the config file and get all my info.

CyberSpatiuim
User avatar
Kriek
Forum Contributor
Posts: 238
Joined: Wed May 29, 2002 3:46 am
Location: Florida
Contact:

Post by Kriek »

Volka's statement is absolutely correct. PHP is a server-side scripting language and it is therefore parsed server-side, meaning before it leaves the web server, as a result you cannot view the source on a properly setup web server, unless of course it is defined as a phps source file.
CyberSpatium wrote:... website copying software and downloads my scripts, they can then open up the config file and get all my info.
Again on a properly setup web server this is impossible, you cannot view the PHP source, you cannot download the PHP source. Make certain your configuration file is in a valid PHP based file format.
Post Reply