Newbie problem - Where do i put my mysql passwords?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rr299
Forum Newbie
Posts: 8
Joined: Sat Apr 19, 2008 4:22 pm

Newbie problem - Where do i put my mysql passwords?

Post by rr299 »

Hi I am really new to php so I hope someone can give me some basic advice with this. I am sure the question has been asked hundreds of times but I am struggling to know what to search for so I apologise if this is annoying and say thanks in advance for the help.

Ok so I am in the process of building a cms using php and mysql. I have a php file with my passwords in to access my mysql database. I want to make sure that someone can't access these through the web. I have read some things about using .htaccess but I am not totally sure if this is what I need. This talks about password protecting a directory but no one will need to access this so I don't think I really need this. I have also read about putting the folder outside of my web directory but I don't really understand how this works. My final option is that my host offers the ability to password protect directories could I use this?

The information doesn't need to be ultra secure I just want to make sure someone doesn't play about with it .

If someone could explain the options to me in basic terms i would be very grateful.
Thanks :)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Newbie problem - Where do i put my mysql passwords?

Post by Mordred »

Hardcoded in a config file ending in .php (not .inc or something else) is fine enough. There are vulnerabilities that can disclose the source code, but that's another answer to another question.
rr299
Forum Newbie
Posts: 8
Joined: Sat Apr 19, 2008 4:22 pm

Re: Newbie problem - Where do i put my mysql passwords?

Post by rr299 »

Really, can't someone just type http://www.mywebsite.co.uk/includes/password.php and see it (if my password were to be in password.php)?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Newbie problem - Where do i put my mysql passwords?

Post by John Cartwright »

Try it.
rr299
Forum Newbie
Posts: 8
Joined: Sat Apr 19, 2008 4:22 pm

Re: Newbie problem - Where do i put my mysql passwords?

Post by rr299 »

ok I will it's not uploaded yet though ;)
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Newbie problem - Where do i put my mysql passwords?

Post by Apollo »

rr299 wrote:I have also read about putting the folder outside of my web directory but I don't really understand how this works.
IMHO this is a simple yet effective and desirable measure. I assume you use FTP to upload the contents to your website. In the home folder of your FTP account (you may go up a dir if FTP doesn't start in the home or root folder by default), you'll see a list of folders like this:

etc
httpdocs
logs
mail
tmp

The httpdocs is where you put the actual content of the website. Note that this folder may also be called something like "public_html" or "htmlroot" or "www" or whatever.

Now, visitors of the website can only access things within that httpdocs folder. So, amongst the dirs listed above (and not inside the httpdocs folder), create a folder called 'secret' or something, and there, you store a password.php which you include from wherever you need it.

For example, if you have a script bla.php which you normally access as http://www.yoursite.com/bla.php, then on the FTP server it will be in httpdocs/bla.php. In bla.php, include the passwords like this:
@require_once('../secret/password.php');
then even if someone manages to view your php sources (e.g. through scary error messages or evil strings in forms or crashing apache or whatever), they still will never be able to reach that particular file.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Newbie problem - Where do i put my mysql passwords?

Post by Apollo »

Mordred wrote:There are vulnerabilities that can disclose the source code, but that's another answer to another question.
What sort of vulnerabilities do you mean?

I've actually seen parts of php sources on other sites due to a faulty Apache, or e.g. while php files are being uploaded, or other reasons besides just poor php code.
rr299
Forum Newbie
Posts: 8
Joined: Sat Apr 19, 2008 4:22 pm

Re: Newbie problem - Where do i put my mysql passwords?

Post by rr299 »

Thanks Apollo that is just the sort of basic advice that i needed :) Just to clarify, if I add a folder say secret above httpdocs how do i write the path to it?

Won't it be "up" a level ie a parent of where the main php is...

httpdocs > general website file + connection.php
httpdocs > images > all my images files (path which is images/1.jpg)
secret > pass.php
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Newbie problem - Where do i put my mysql passwords?

Post by Apollo »

rr299 wrote:Won't it be "up" a level ie a parent of where the main php is...
Yes it will, that's what the .. is for.

So to include it from connection.php, you insert a line like this:
@require_once('../secret/password.php');

And if you'd have a subdir on your website called "shop" or something (e.g. http://www.yoursite.com/shop/bla.php), then a script in there would be in
httpdocs > shop > bla.php
And to include the passwords from there, you use:
@require_once('../../secret/password.php');
Note the two times .. because we're going up two parent levels here.
rr299
Forum Newbie
Posts: 8
Joined: Sat Apr 19, 2008 4:22 pm

Re: Newbie problem - Where do i put my mysql passwords?

Post by rr299 »

Amazing, thanks :) You learn something new every day :)
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Newbie problem - Where do i put my mysql passwords?

Post by Apollo »

By the way, note that by using relative paths (with .. to go to parent level, etc) you are causing problems when moving php files form the main httpdocs dir to subdirs or vice versa.

You can overcome this by including your password file like this:

@require_once( $_SERVER['DOCUMENT_ROOT'] . '/../secret/pass.php' );

This will always work in any php file, regardless of where you store it.

That $_SERVER['DOCUMENT_ROOT'] thingy is a server variable that always points to your httpdocs folder (or whatever it's called). So this way it's even compatible when you move the script to another hosting provider, who uses another root dir, e.g. public_html instead of httpdocs.

And just in case you're not familiar with @require_once: the @ sign suppresses error messages. So here it avoids revealing error messages like "error, could not include /secret/pass.php" visible to your visitors. And I recommend require instead of include, because you probably don't want the script to continue if the password can't be included, and _once because there's no need to include it multiple times (which can happen if you include other php's later on which also require the password).
rr299
Forum Newbie
Posts: 8
Joined: Sat Apr 19, 2008 4:22 pm

Re: Newbie problem - Where do i put my mysql passwords?

Post by rr299 »

Thanks :D
Post Reply