Page 1 of 1

Need help protecting contents of a file

Posted: Sun Oct 19, 2003 4:20 am
by CyberSpatium
Hello there.. I am setting up a PHP script for a site on my server. One of the files in that script, config.inc.php contains this code:

Code: Select all

<?php
# setup database
   $host = “localhost”;
   $user = “username”;
   $pass = “password”;
   $db =  “database”;
?>
This config.inc.php contains the info needed to connect to MySQL. On my website however, the same userid and password used to login to MySQL is also the same userid and password to login to my websites control Enism Control Panel to admin the website.

So, all someone has to do is save this file to their HD using a web coping software, then open the file, get my login userid and pass, and goto http://www.mydomain.com/admin , and they can get into my control panel for the site. I have had this done before. Someone used a website copying software, copied everything off my website, got my userid and password and was able access my site. So, I am trying to hide or protect this info to keep it safe.

I have tried placing the file with the login info outside of my websites webroot, but I cannot get PHP to read files outside of the webroot.

I have placed the file in “c:/php/incudes” and added that to the “include_file” setting in my php,ini file, and then tried to include the file in my scripts and that did not work.

I tried to encode my file with the Zend Encoder, but when I tried to install Zend Optimizer, I could not get it to work on my Windoze2k3 system.

How can I protect my login info yet still be able to use it in my scripts? Any ideas?

Thanks in advance…
CyberSpatium

Posted: Sun Oct 19, 2003 4:55 am
by leebo
Try http://www.websitecreations.co.nz/codelock/ they have a solution which would work for you

Using apache to protect your dir

Posted: Sun Oct 19, 2003 9:00 am
by Abyss
Wouldn't it be easier to to just make the dir private threw the apache.conf, this is taken from mine apache.conf

<directory "D:/phpdev/www/config/">
AllowOverride None
Order allow,deny
Allow from localhost 127.0.0.1
</directory>

but this will only work if have physical access to the machine.

:?

Posted: Sun Oct 19, 2003 9:22 am
by volka
and if your webserver is configured to handle php-scripts the clients won't see the source code at all

Posted: Sun Oct 19, 2003 11:07 am
by CyberSpatium
Wouldn't it be easier to to just make the dir private threw the apache.conf, this is taken from mine apache.conf
I already have Zend Encoder, so dont want to pay for another encoder program to encode only one file... know of anything else that might work?
Wouldn't it be easier to to just make the dir private threw the apache.conf, this is taken from mine apache.conf
I have Windows 2003 server not Apache... thanx anyhow...
volka wrote:and if your webserver is configured to handle php-scripts the clients won't see the source code at all
yes, it is handled to run php scripts, but if someone uses a website copying software and downloads my scripts, they can then open up the config file and get all my info.

CyberSpatiuim

Posted: Sun Oct 19, 2003 11:55 am
by Kriek
Volka's statement is absolutely correct. PHP is a server-side scripting language and it is therefore parsed server-side, meaning before it leaves the web server, as a result you cannot view the source on a properly setup web server, unless of course it is defined as a phps source file.
CyberSpatium wrote:... website copying software and downloads my scripts, they can then open up the config file and get all my info.
Again on a properly setup web server this is impossible, you cannot view the PHP source, you cannot download the PHP source. Make certain your configuration file is in a valid PHP based file format.