Page 1 of 1

PHP and MYSQL config file security

Posted: Fri Jul 06, 2007 4:37 am
by dnasav
I was hoping someone could advise me on how to protect my config.inc file.

I have a config file with username, password, etc info in it, that I have placed outside of the web directory. I am using a shared hosting package. I have read that because this is on a shared host that there are potential security risks. From what I have read the way to stop this from being a potential security risk is to use:

SetEnv DB_USER "myuser"
SetEnv DB_PASS "mypass"

But in order to do this I would need to put an include to the file containing the above data in httpd.conf. The host I am using does not allow access to the httpd.conf.

I thought about putting these in the htaccess file but it appears that this still has a potential to be unsafe.

Is there another way to protect the config information from prying eyes or to set the Environmental variables and access them in a different place.

Thanks for any help in advance....

Posted: Fri Jul 06, 2007 8:15 am
by feyd
Environment variables are actually just as dangerous as using constants, if memory serves. The reason why is because you can't destroy them immediately after use. Unfortunately, there's no perfect way to store the database access credentials. The best I've found is standard variables that are declared shortly before the connection is requested and destroyed immediately after.

Posted: Fri Jul 06, 2007 10:14 am
by dnasav
Hi. Thanks for the quick response. I am still a bit confused though.

Do you suggest that it is 'safer' to have the variables declared and destroyed every time I connect to the database, ie on each php page that is using mysql?

I have put a .php extension after the real extension on the inc file, and that is meant to help to some extent.

I would obviously like to solve the problem by not having to have the application running on a shared host but that is out of my hands.

Any other advise would be most appreciated.

Thanks again for your help.

Posted: Fri Jul 06, 2007 7:56 pm
by nathanr
feyd wrote:Environment variables are actually just as dangerous as using constants, if memory serves. The reason why is because you can't destroy them immediately after use. Unfortunately, there's no perfect way to store the database access credentials. The best I've found is standard variables that are declared shortly before the connection is requested and destroyed immediately after.
here here, I also use the same manner to open databases.. an array in the config file that has $db['user'] +pass+blah, pass it to a db connect function and have that function remove the user/pass/blah and add in the connection resource instead, same thing as unsetting individual variables i suppose.

it's late, my grammer is getting worse...

Posted: Sat Jul 07, 2007 9:52 am
by d3ad1ysp0rk
I believe the point is that no matter how early you destroy your db variables, the fact that they are declared in a place where other's on the shared host can look (ie. config.inc.php or similar) means it's insecure.

I also recall that the solution was to use environment variables like you stated, and to make sure the file is accessible only by root (ie. not by include(), but only by the apache config itself).

I'll have to double check the exact way on Monday.

Posted: Tue Jul 10, 2007 5:10 am
by dnasav
Hi

Thanks for your replies. I think I may have a solution or at least part of it. As d3ad1ysp0rk points out no matter how early you destroy the db variables, they still have to be declared somewhere, and on a shared host they could possibly be found with some degree of digging by someone on that shared host. Anyway this is what I did: I put the config.inc file in a folder outside the main web access folder, ie. in a private folder with a .php extension and an .htaccess file in the same folder with the following code in it, so that only root can access the file:

<Files config.inc.php>
order allow,deny
deny from all
</Files>

How does that sound?