PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Dec 12, 2018 3:10 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Securing DB Password
PostPosted: Mon Jan 07, 2013 7:21 am 
Offline
Forum Contributor

Joined: Mon Mar 07, 2005 4:20 pm
Posts: 390
Hi all,

If I want to secure my database login information, is it sufficient to use an htaccess file to deny all on the folder or it is best practice to place the file with the secure credentials outside of the webroot?

Or would there be any further benefit in storing the crendentials outside of the webroot and hashing them with a script within the web root protected by htaccess.

Thanks,

David.


Top
 Profile  
 
 Post subject: Re: Securing DB Password
PostPosted: Mon Jan 07, 2013 8:50 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
Here is the fact: Anywhere you put it, and anything you do to it for a web page to use, if you are hacked to the point that they could read the raw PHP file in a web directory which would have the credentials, they are going to have enough access to see where you are calling the password from, and what you are doing to encrypt it (Hashing is one way).

-Greg


Top
 Profile  
 
 Post subject: Re: Securing DB Password
PostPosted: Mon Jan 07, 2013 9:20 am 
Offline
Forum Contributor

Joined: Mon Mar 07, 2005 4:20 pm
Posts: 390
Sure, I understand if the would-be hacker has ftp access for example then no matter what measures are put in place the password can be seen.

What about protecting from the web side though.


Top
 Profile  
 
 Post subject: Re: Securing DB Password
PostPosted: Mon Jan 07, 2013 2:03 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
what exactly are you trying to protect it from? If they are going to be able to see the source code of the PHP file that contains login information, they will almost certainly be able to view any file the website can view as well.

-Greg

PS, they don't have to have have FTP access to view files on the system, if you are runniong a script that allows them to execute commands (ie, outdated wordpress or something that allows a web visitor to upload a .php file to somewhere they can browse to it) and get a file such as c99shell onto the server, they will not only be able to view any file, but then also have a nice utility for accessing your database.


Top
 Profile  
 
 Post subject: Re: Securing DB Password
PostPosted: Mon Jan 07, 2013 2:06 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
spacebiscuit wrote:
is it best practice to place the file with the secure credentials outside of the webroot?

Yes. The reality is that you can leave them in the web root and either (a) block access with a .htaccess or equivalent or (b) make sure the included files are named .php (or something else that would be parsed by PHP by default) and know that even if someone tried to access the file directly PHP would simply execute the contents of the file like if it were a normal script.


Top
 Profile  
 
 Post subject: Re: Securing DB Password
PostPosted: Mon Jan 07, 2013 5:59 pm 
Offline
Briney Mod
User avatar

Joined: Mon Jan 19, 2004 7:11 pm
Posts: 6445
Location: 53.01N x 112.48W
I always store mine outside the web root. It may be a bit paranoid of me, but securing them with an .htaccess file is dicey in case a sysadmin decides to not allow .htaccess to be executed. Securing them by putting them in a .php file is dicey in case a PHP/Apache upgrade disconnects PHP from Apache, thus causing Apache to not know about PHP files, causing it to serve up PHP files in plain text.

_________________
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.


Top
 Profile  
 
 Post subject: Re: Securing DB Password
PostPosted: Tue Jan 08, 2013 7:08 am 
Offline
Forum Contributor

Joined: Mon Mar 07, 2005 4:20 pm
Posts: 390
Thank for the replies.

My initial thoughts were to hash the database login details but as twinedev pointed out this would be pointless, I had overlooked the fact that somewhere in the script a plain-text copy of the password would be required anyway. Besides you can make a db connection with a hashed password anyway. So even if I stored a hashed copy of the password it's of no use if I want to connect to the database!

I've gone for putting the includes folder outside of the web root, I know it is is not fail-safe but at least it does offer some security WAN side.

Thanks!


Top
 Profile  
 
 Post subject: Re: Securing DB Password
PostPosted: Wed Sep 25, 2013 2:50 am 
Offline
Forum Commoner

Joined: Thu Sep 19, 2013 2:53 am
Posts: 27
The below link may help you to understand and clear your doubts.

http://uranus.chrysocome.net/linux/php/passwords.htm

Hope it helps you.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group