Page 1 of 1
protect the username and password
Posted: Sat Feb 22, 2003 7:54 am
by hakiki_dolphin
Hi,
// CONNECT TO THE DB SERVER
$mysql_link = mysql_connect("localhost", "root", "") or die
('<p>TRY AGAIN!');
// SELECT THE DB
mysql_select_db ("db_name", $mysql_link);
I use these codes in the page that the internet users can see the database access username
and password. So I must protect these. How can I do this effectively? And I must protect
the mysql databases in my hosting area. Are there any solution for this problem?
If you can help me, I will be very happy.
Sincerely.
Ahmet Kara
ahmet_k_2002@yahoo.com
Posted: Sat Feb 22, 2003 8:30 am
by RedDragon
your users cant see your php code as it is parsed b4 send to the client
Posted: Sat Feb 22, 2003 10:35 am
by BDKR
Hi there,
Ahmet, please tell me you are pumping this information through an SSL.

Wny does the user need to see his or her password? If I wanted to get someones password, why couldn't I just say 'Hey, I lost my password!" when indeed, I'm someone else? If a user looses, or more correctly, forgets a password, automagically generate a pass and send it to him via an email address.
As for protecting your db...
1) Use a nonstandard port. Keep 'em guessing!
2) Use a firewall! Why let 'em in in the first place?
3) Don't allow connections from anywhere other than the web server.
4) If the web and db server is on the same box (

) , use the mysql.sock and allow
no outside tcp/ip connections.
Can't think of anything else...
Cheers,
BDKR
Posted: Sat Feb 22, 2003 1:01 pm
by McGruff
Never connect to the database server as root user with no password. ANYBODY can do the same.
Create a name & pass for your root, "superuser" in the mysql users table.
For your php application, create another mysql user with only the minimum privileges required for ordinary site visitors. Use this info in your php scripts to connect to the database.
You may also want an admin level user, so create another user with extra privileges but DO NOT use the superuser! Never allow connection to a mysql database with all privileges from anywhere within a php website, unless you really have to (ie your scripts require all privileges to run).
You don't need SSL unless you have very high security needs.
Finally, put the database link identifier scripts in separate files, in a secure .htaccess protected folder. Include these scripts whenever you need them in other php files.
Posted: Sat Feb 22, 2003 1:57 pm
by BDKR
You don't need SSL unless you have very high security needs.
You know, if he's running a linux box, he can provide SSL for free to his clients (it sounds as though he's a host). Any decent Linux distro today that can be downloaded also has SSL. My boss, who was an MS guy for the longest as he didn't know any better, was stunned when I showed him. Besides, if you must send the kind of information he's talking about, don't send it in the clear.
Now this one here...
...database link identifier scripts in separate files, in a secure .htaccess protected folder.
... is a great idea. I wonder why I never thought of it.
Cheers,
BDKR
Posted: Tue Feb 25, 2003 1:26 pm
by mindows
McGruff wrote:...
Finally, put the database link identifier scripts in separate files, in a secure .htaccess protected folder. Include these scripts whenever you need them in other php files.
how do you keep the include files separate in a secured directory?
Posted: Tue Feb 25, 2003 2:20 pm
by McGruff
how do you keep the include files separate in a secured directory?
A deny from all .htaccess file in
http://www.mysite.com/folder/ will block direct access like this:
http://www.mysite.com/folder/stuff.php
but will allow this:
http://www.mysite.com/nav.php?page=stuff
the file nav.php would include a file depending on the supplied page var - stuff.php in this case
So, your scripts can access a dlid, say, in this folder but no-one can actually open it.
Any files which you DO need to call directly - nav.php in the above example, or a root index.php file if you have one - should be outside the .htaccess tree.