Database access: Protecting a username/password?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
ambivalent
Forum Contributor
Posts: 173
Joined: Thu Apr 14, 2005 8:58 pm
Location: Toronto, ON

Database access: Protecting a username/password?

Post by ambivalent »

In the context of the following:

Code: Select all

$connect_to_database=mysql_connect($sql_server, $db_user, $password);
where a given script needs to interact with a database without user invervention, except for the page request, (say, for an image gallery or other list of data) the script needs to pass the correct credentials to the database to obtain the required information.

I've looked around and, assuming that one does not have the option of storing the information outside of the publicly accessible webroot, the next best thing seems to be to protect the data with .htaccess, as described here: http://www.si.umich.edu/computing/howto ... curity.php or here: viewtopic.php?t=6680

Is this reasonably effective security or is there a better (and not excessively complicated) way to accomplish this?
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Why can't you store the info outside the web accessable area?

Simply use an include to a file outside the accessable area in which those connection details are set.


The next important thing is that the db username and password is only set to what the web application needs to do.

e.g. if the application just needs to read the username and password, edit or delete should not be allowed by that username.
User avatar
ambivalent
Forum Contributor
Posts: 173
Joined: Thu Apr 14, 2005 8:58 pm
Location: Toronto, ON

Post by ambivalent »

AGISB wrote:Why can't you store the info outside the web accessable area?
Simply use an include to a file outside the accessable area in which those connection details are set.
It's a hosted server so I only have ftp access to the web directory.

The next important thing is that the db username and password is only set to what the web application needs to do.
Noted, thanks.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

a) Nobody should ever see your php code since it's parsed by the ser
b) When you FTP to your host you surely have access to more than the public_html dir?

Use ../ if you need to go up a level :-)
User avatar
ambivalent
Forum Contributor
Posts: 173
Joined: Thu Apr 14, 2005 8:58 pm
Location: Toronto, ON

Post by ambivalent »

d11wtq wrote:a) Nobody should ever see your php code since it's parsed by the ser
b) When you FTP to your host you surely have access to more than the public_html dir?

Use ../ if you need to go up a level
I tried "../" before and received "Permission Denied" as a response - from there I just assumed I had had no access to anything above public_html.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

You CHMOD, right? You'll have to do it that way, My webhost lets me view lower directories, but I don't have write permissions for them.
Post Reply