Getting a password securely
Moderator: General Moderators
Getting a password securely
I understand that the commonly used means of securely supplying a password to a script is to store it in a text file outside the document directory. The script reads the file and extracts the password. Because the password is stored outside the document directory, it is difficult for an intruder to steal.
This makes sense, but it seems more complicated than necessary. Why not assign the password to a variable in an include file stored outside the document directory? The script can simply include the file instead of having to open a file, read it, and parse it. The security is the same.
I've tried this technique on my development system (WAMP) and on my client's hosted test site (LAMP), and it works in both places. (In each case the directory I chose was the parent of the document root. In Windows it is the root directory of my data disk. In Linux it is a child of the account's home directory.)
Am I just lucky that this is working for me? I'm puzzled that it isn't used in preference to the read-a-file technique.
This makes sense, but it seems more complicated than necessary. Why not assign the password to a variable in an include file stored outside the document directory? The script can simply include the file instead of having to open a file, read it, and parse it. The security is the same.
I've tried this technique on my development system (WAMP) and on my client's hosted test site (LAMP), and it works in both places. (In each case the directory I chose was the parent of the document root. In Windows it is the root directory of my data disk. In Linux it is a child of the account's home directory.)
Am I just lucky that this is working for me? I'm puzzled that it isn't used in preference to the read-a-file technique.
Re: Getting a password securely
I wasn't aware of such a preference, but if there is one, storing the password by itself probably reduces confusion for site maintenance personnel who are unfamiliar with PHP syntax.
Re: Getting a password securely
If you are talking about storing just a single password (not different passwords for different users), I would guess there's no measurable performance difference and I wouldn't think there's any difference at all in your PHP script, other than how obvious it is in reading the script to recognize the purpose of the code line that reads the password. The include file approach isn't as obvious, which might be considered an advantage--until you consider the common issue of you coming back a year later and trying to figure out what you did, or another programmer becoming responsible for the code.
However, the concept of storing a password in plain text is probably not a good idea to begin with, even if it's not easily accessible via HTTP. Have you considered storing a hashed (encrypted) version of the password, then comparing the hashed version of what the user offers as the password against the stored value? That is the customary way of handling a password.
However, the concept of storing a password in plain text is probably not a good idea to begin with, even if it's not easily accessible via HTTP. Have you considered storing a hashed (encrypted) version of the password, then comparing the hashed version of what the user offers as the password against the stored value? That is the customary way of handling a password.
Re: Getting a password securely
califdon, I didn't make it clear that I'm talking about a database password, not a user password. The hashing technique isn't applicable there. Reversible encryption would be, but is overkill in this case.
With the password go a server address, a user name, and a database name. So, while there is only one password, there are several pieces of information.
With the password go a server address, a user name, and a database name. So, while there is only one password, there are several pieces of information.
Re: Getting a password securely
common place is to make a file called something like "connect.php" and in there open you db connection, then just include that from any page that will use the database.
The idea of putting it somewhere outside of web root, lets be honest, if someone is on you server and able to see your source code for PHP, they are going to see you are including the file from WHEREVER on you server, and will be able to view the content of it as well.
If you encrypt it, they will see the code that decrypts it.
-Greg
The idea of putting it somewhere outside of web root, lets be honest, if someone is on you server and able to see your source code for PHP, they are going to see you are including the file from WHEREVER on you server, and will be able to view the content of it as well.
If you encrypt it, they will see the code that decrypts it.
-Greg
Re: Getting a password securely
Never, ever, ever, ever, ever store passwords in plaintext in a file. Even on a server. Why?
No matter what that file is named, there is always the possibility of someone stumbling upon that file somehow. Google presents a good example of this.
And what Greg said: Put the database password in a .php file (because no matter how the user gets the file - server request, client request, download, etc. the only thing that shows is whatever you decide to output) and make sure the only people that have the ability to view the source (via FTP, etc.) are people that you choose.
No matter what that file is named, there is always the possibility of someone stumbling upon that file somehow. Google presents a good example of this.
And what Greg said: Put the database password in a .php file (because no matter how the user gets the file - server request, client request, download, etc. the only thing that shows is whatever you decide to output) and make sure the only people that have the ability to view the source (via FTP, etc.) are people that you choose.
Re: Getting a password securely
I give 100 points for the idea,wengaga wrote:The climate in our country is very pleasant. (snip) It’s always warm in spring, hot in summer and cold in winter. (snip)
My favourite season is autumn, because it’s always warm in September and October. (snip) It’s often cold in November. It’s certainly interesting. The other reason is the days are short and the nights are long. The sun rises late and sets early. I can do my favourite things in the evening. (snip)
-100 points for execution,
and -1000 points for advertising on a forum with people who actually know what they're doing.
Re: Getting a password securely
Don't bother flaming him, I deleted all 10 of his posts and his account within 20 minutes of his registration and posting. We try to keep on top of such things here. You can help by flagging spam posts.
Re: Getting a password securely
I was actually serious.
Was a unique idea, executed poorly, and a terrible choice of forum.
I flagged one of his posts, but I figured you guys were probably on top of it already
Was a unique idea, executed poorly, and a terrible choice of forum.
I flagged one of his posts, but I figured you guys were probably on top of it already
Re: Getting a password securely
It doesn't matter if it quotes from the Bible or the Koran or the Torah--if its purpose is to display spam links, it's just spam and away it goes!egg82 wrote:I was actually serious.
Was a unique idea, executed poorly, and a terrible choice of forum.
I flagged one of his posts, but I figured you guys were probably on top of it already
I did notice that there was one spam report on him, but didn't notice who flagged him. Thanks. It really helps!