Page 1 of 1

Database access: Protecting a username/password?

Posted: Thu Apr 14, 2005 9:30 pm
by ambivalent
In the context of the following:

Code: Select all

$connect_to_database=mysql_connect($sql_server, $db_user, $password);
where a given script needs to interact with a database without user invervention, except for the page request, (say, for an image gallery or other list of data) the script needs to pass the correct credentials to the database to obtain the required information.

I've looked around and, assuming that one does not have the option of storing the information outside of the publicly accessible webroot, the next best thing seems to be to protect the data with .htaccess, as described here: http://www.si.umich.edu/computing/howto ... curity.php or here: viewtopic.php?t=6680

Is this reasonably effective security or is there a better (and not excessively complicated) way to accomplish this?

Posted: Fri Apr 15, 2005 12:08 am
by AGISB
Why can't you store the info outside the web accessable area?

Simply use an include to a file outside the accessable area in which those connection details are set.


The next important thing is that the db username and password is only set to what the web application needs to do.

e.g. if the application just needs to read the username and password, edit or delete should not be allowed by that username.

Posted: Fri Apr 15, 2005 11:24 am
by ambivalent
AGISB wrote:Why can't you store the info outside the web accessable area?
Simply use an include to a file outside the accessable area in which those connection details are set.
It's a hosted server so I only have ftp access to the web directory.

The next important thing is that the db username and password is only set to what the web application needs to do.
Noted, thanks.

Posted: Fri Apr 15, 2005 12:01 pm
by Chris Corbyn
a) Nobody should ever see your php code since it's parsed by the ser
b) When you FTP to your host you surely have access to more than the public_html dir?

Use ../ if you need to go up a level :-)

Posted: Fri Apr 15, 2005 1:23 pm
by ambivalent
d11wtq wrote:a) Nobody should ever see your php code since it's parsed by the ser
b) When you FTP to your host you surely have access to more than the public_html dir?

Use ../ if you need to go up a level
I tried "../" before and received "Permission Denied" as a response - from there I just assumed I had had no access to anything above public_html.

Posted: Fri Apr 15, 2005 2:21 pm
by Ambush Commander
You CHMOD, right? You'll have to do it that way, My webhost lets me view lower directories, but I don't have write permissions for them.