Securing DB Password

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Securing DB Password

Post by spacebiscuit »

Hi all,

If I want to secure my database login information, is it sufficient to use an htaccess file to deny all on the folder or it is best practice to place the file with the secure credentials outside of the webroot?

Or would there be any further benefit in storing the crendentials outside of the webroot and hashing them with a script within the web root protected by htaccess.

Thanks,

David.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Securing DB Password

Post by twinedev »

Here is the fact: Anywhere you put it, and anything you do to it for a web page to use, if you are hacked to the point that they could read the raw PHP file in a web directory which would have the credentials, they are going to have enough access to see where you are calling the password from, and what you are doing to encrypt it (Hashing is one way).

-Greg
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Re: Securing DB Password

Post by spacebiscuit »

Sure, I understand if the would-be hacker has ftp access for example then no matter what measures are put in place the password can be seen.

What about protecting from the web side though.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Securing DB Password

Post by twinedev »

what exactly are you trying to protect it from? If they are going to be able to see the source code of the PHP file that contains login information, they will almost certainly be able to view any file the website can view as well.

-Greg

PS, they don't have to have have FTP access to view files on the system, if you are runniong a script that allows them to execute commands (ie, outdated wordpress or something that allows a web visitor to upload a .php file to somewhere they can browse to it) and get a file such as c99shell onto the server, they will not only be able to view any file, but then also have a nice utility for accessing your database.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Securing DB Password

Post by requinix »

spacebiscuit wrote:is it best practice to place the file with the secure credentials outside of the webroot?
Yes. The reality is that you can leave them in the web root and either (a) block access with a .htaccess or equivalent or (b) make sure the included files are named .php (or something else that would be parsed by PHP by default) and know that even if someone tried to access the file directly PHP would simply execute the contents of the file like if it were a normal script.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Securing DB Password

Post by pickle »

I always store mine outside the web root. It may be a bit paranoid of me, but securing them with an .htaccess file is dicey in case a sysadmin decides to not allow .htaccess to be executed. Securing them by putting them in a .php file is dicey in case a PHP/Apache upgrade disconnects PHP from Apache, thus causing Apache to not know about PHP files, causing it to serve up PHP files in plain text.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Re: Securing DB Password

Post by spacebiscuit »

Thank for the replies.

My initial thoughts were to hash the database login details but as twinedev pointed out this would be pointless, I had overlooked the fact that somewhere in the script a plain-text copy of the password would be required anyway. Besides you can make a db connection with a hashed password anyway. So even if I stored a hashed copy of the password it's of no use if I want to connect to the database!

I've gone for putting the includes folder outside of the web root, I know it is is not fail-safe but at least it does offer some security WAN side.

Thanks!
priyankagound
Forum Commoner
Posts: 27
Joined: Thu Sep 19, 2013 2:53 am

Re: Securing DB Password

Post by priyankagound »

The below link may help you to understand and clear your doubts.

http://uranus.chrysocome.net/linux/php/passwords.htm

Hope it helps you.
Post Reply