PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Jun 05, 2020 2:28 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Sun Nov 27, 2011 11:21 am 
Offline
Forum Newbie

Joined: Wed Dec 29, 2010 2:59 pm
Posts: 9
I understand that the commonly used means of securely supplying a password to a script is to store it in a text file outside the document directory. The script reads the file and extracts the password. Because the password is stored outside the document directory, it is difficult for an intruder to steal.

This makes sense, but it seems more complicated than necessary. Why not assign the password to a variable in an include file stored outside the document directory? The script can simply include the file instead of having to open a file, read it, and parse it. The security is the same.

I've tried this technique on my development system (WAMP) and on my client's hosted test site (LAMP), and it works in both places. (In each case the directory I chose was the parent of the document root. In Windows it is the root directory of my data disk. In Linux it is a child of the account's home directory.)

Am I just lucky that this is working for me? I'm puzzled that it isn't used in preference to the read-a-file technique.


Top
 Profile  
 
PostPosted: Sun Nov 27, 2011 7:04 pm 
Offline
DevNet Resident
User avatar

Joined: Wed Apr 01, 2009 1:31 pm
Posts: 1532
I wasn't aware of such a preference, but if there is one, storing the password by itself probably reduces confusion for site maintenance personnel who are unfamiliar with PHP syntax.


Top
 Profile  
 
PostPosted: Mon Nov 28, 2011 12:30 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
If you are talking about storing just a single password (not different passwords for different users), I would guess there's no measurable performance difference and I wouldn't think there's any difference at all in your PHP script, other than how obvious it is in reading the script to recognize the purpose of the code line that reads the password. The include file approach isn't as obvious, which might be considered an advantage--until you consider the common issue of you coming back a year later and trying to figure out what you did, or another programmer becoming responsible for the code.

However, the concept of storing a password in plain text is probably not a good idea to begin with, even if it's not easily accessible via HTTP. Have you considered storing a hashed (encrypted) version of the password, then comparing the hashed version of what the user offers as the password against the stored value? That is the customary way of handling a password.


Top
 Profile  
 
PostPosted: Thu Dec 01, 2011 10:04 am 
Offline
Forum Newbie

Joined: Wed Dec 29, 2010 2:59 pm
Posts: 9
califdon, I didn't make it clear that I'm talking about a database password, not a user password. The hashing technique isn't applicable there. Reversible encryption would be, but is overkill in this case.

With the password go a server address, a user name, and a database name. So, while there is only one password, there are several pieces of information.


Top
 Profile  
 
PostPosted: Thu Dec 01, 2011 10:58 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
common place is to make a file called something like "connect.php" and in there open you db connection, then just include that from any page that will use the database.

The idea of putting it somewhere outside of web root, lets be honest, if someone is on you server and able to see your source code for PHP, they are going to see you are including the file from WHEREVER on you server, and will be able to view the content of it as well.

If you encrypt it, they will see the code that decrypts it.

-Greg


Top
 Profile  
 
PostPosted: Mon Jan 30, 2012 1:08 pm 
Offline
Forum Contributor
User avatar

Joined: Sat Oct 01, 2011 9:29 pm
Posts: 156
Location: Colorado, USA
Never, ever, ever, ever, ever store passwords in plaintext in a file. Even on a server. Why?
No matter what that file is named, there is always the possibility of someone stumbling upon that file somehow. Google presents a good example of this.

And what Greg said: Put the database password in a .php file (because no matter how the user gets the file - server request, client request, download, etc. the only thing that shows is whatever you decide to output) and make sure the only people that have the ability to view the source (via FTP, etc.) are people that you choose.


Top
 Profile  
 
PostPosted: Mon Feb 06, 2012 11:51 pm 
Offline
Forum Contributor
User avatar

Joined: Sat Oct 01, 2011 9:29 pm
Posts: 156
Location: Colorado, USA


Top
 Profile  
 
PostPosted: Tue Feb 07, 2012 12:03 am 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Don't bother flaming him, I deleted all 10 of his posts and his account within 20 minutes of his registration and posting. We try to keep on top of such things here. You can help by flagging spam posts.


Top
 Profile  
 
PostPosted: Tue Feb 07, 2012 12:09 am 
Offline
Forum Contributor
User avatar

Joined: Sat Oct 01, 2011 9:29 pm
Posts: 156
Location: Colorado, USA
I was actually serious.
Was a unique idea, executed poorly, and a terrible choice of forum.

I flagged one of his posts, but I figured you guys were probably on top of it already


Top
 Profile  
 
PostPosted: Tue Feb 07, 2012 12:50 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group