Page 1 of 1

Securing DB Password

Posted: Mon Jan 07, 2013 6:21 am
by spacebiscuit
Hi all,

If I want to secure my database login information, is it sufficient to use an htaccess file to deny all on the folder or it is best practice to place the file with the secure credentials outside of the webroot?

Or would there be any further benefit in storing the crendentials outside of the webroot and hashing them with a script within the web root protected by htaccess.

Thanks,

David.

Re: Securing DB Password

Posted: Mon Jan 07, 2013 7:50 am
by twinedev
Here is the fact: Anywhere you put it, and anything you do to it for a web page to use, if you are hacked to the point that they could read the raw PHP file in a web directory which would have the credentials, they are going to have enough access to see where you are calling the password from, and what you are doing to encrypt it (Hashing is one way).

-Greg

Re: Securing DB Password

Posted: Mon Jan 07, 2013 8:20 am
by spacebiscuit
Sure, I understand if the would-be hacker has ftp access for example then no matter what measures are put in place the password can be seen.

What about protecting from the web side though.

Re: Securing DB Password

Posted: Mon Jan 07, 2013 1:03 pm
by twinedev
what exactly are you trying to protect it from? If they are going to be able to see the source code of the PHP file that contains login information, they will almost certainly be able to view any file the website can view as well.

-Greg

PS, they don't have to have have FTP access to view files on the system, if you are runniong a script that allows them to execute commands (ie, outdated wordpress or something that allows a web visitor to upload a .php file to somewhere they can browse to it) and get a file such as c99shell onto the server, they will not only be able to view any file, but then also have a nice utility for accessing your database.

Re: Securing DB Password

Posted: Mon Jan 07, 2013 1:06 pm
by requinix
spacebiscuit wrote:is it best practice to place the file with the secure credentials outside of the webroot?
Yes. The reality is that you can leave them in the web root and either (a) block access with a .htaccess or equivalent or (b) make sure the included files are named .php (or something else that would be parsed by PHP by default) and know that even if someone tried to access the file directly PHP would simply execute the contents of the file like if it were a normal script.

Re: Securing DB Password

Posted: Mon Jan 07, 2013 4:59 pm
by pickle
I always store mine outside the web root. It may be a bit paranoid of me, but securing them with an .htaccess file is dicey in case a sysadmin decides to not allow .htaccess to be executed. Securing them by putting them in a .php file is dicey in case a PHP/Apache upgrade disconnects PHP from Apache, thus causing Apache to not know about PHP files, causing it to serve up PHP files in plain text.

Re: Securing DB Password

Posted: Tue Jan 08, 2013 6:08 am
by spacebiscuit
Thank for the replies.

My initial thoughts were to hash the database login details but as twinedev pointed out this would be pointless, I had overlooked the fact that somewhere in the script a plain-text copy of the password would be required anyway. Besides you can make a db connection with a hashed password anyway. So even if I stored a hashed copy of the password it's of no use if I want to connect to the database!

I've gone for putting the includes folder outside of the web root, I know it is is not fail-safe but at least it does offer some security WAN side.

Thanks!

Re: Securing DB Password

Posted: Wed Sep 25, 2013 2:50 am
by priyankagound
The below link may help you to understand and clear your doubts.

http://uranus.chrysocome.net/linux/php/passwords.htm

Hope it helps you.