Hi,
// CONNECT TO THE DB SERVER
$mysql_link = mysql_connect("localhost", "root", "") or die
('<p>TRY AGAIN!');
// SELECT THE DB
mysql_select_db ("db_name", $mysql_link);
I use these codes in the page that the internet users can see the database access username
and password. So I must protect these. How can I do this effectively? And I must protect
the mysql databases in my hosting area. Are there any solution for this problem?
If you can help me, I will be very happy.
Sincerely.
Ahmet Kara
ahmet_k_2002@yahoo.com
protect the username and password
Moderator: General Moderators
-
hakiki_dolphin
- Forum Newbie
- Posts: 9
- Joined: Thu Jan 30, 2003 3:00 pm
Hi there,
Ahmet, please tell me you are pumping this information through an SSL.
Wny does the user need to see his or her password? If I wanted to get someones password, why couldn't I just say 'Hey, I lost my password!" when indeed, I'm someone else? If a user looses, or more correctly, forgets a password, automagically generate a pass and send it to him via an email address.
As for protecting your db...
1) Use a nonstandard port. Keep 'em guessing!
2) Use a firewall! Why let 'em in in the first place?
3) Don't allow connections from anywhere other than the web server.
4) If the web and db server is on the same box (
) , use the mysql.sock and allow
no outside tcp/ip connections.
Can't think of anything else...
Cheers,
BDKR
Ahmet, please tell me you are pumping this information through an SSL.
As for protecting your db...
1) Use a nonstandard port. Keep 'em guessing!
2) Use a firewall! Why let 'em in in the first place?
3) Don't allow connections from anywhere other than the web server.
4) If the web and db server is on the same box (
no outside tcp/ip connections.
Can't think of anything else...
Cheers,
BDKR
Never connect to the database server as root user with no password. ANYBODY can do the same.
Create a name & pass for your root, "superuser" in the mysql users table.
For your php application, create another mysql user with only the minimum privileges required for ordinary site visitors. Use this info in your php scripts to connect to the database.
You may also want an admin level user, so create another user with extra privileges but DO NOT use the superuser! Never allow connection to a mysql database with all privileges from anywhere within a php website, unless you really have to (ie your scripts require all privileges to run).
You don't need SSL unless you have very high security needs.
Finally, put the database link identifier scripts in separate files, in a secure .htaccess protected folder. Include these scripts whenever you need them in other php files.
Create a name & pass for your root, "superuser" in the mysql users table.
For your php application, create another mysql user with only the minimum privileges required for ordinary site visitors. Use this info in your php scripts to connect to the database.
You may also want an admin level user, so create another user with extra privileges but DO NOT use the superuser! Never allow connection to a mysql database with all privileges from anywhere within a php website, unless you really have to (ie your scripts require all privileges to run).
You don't need SSL unless you have very high security needs.
Finally, put the database link identifier scripts in separate files, in a secure .htaccess protected folder. Include these scripts whenever you need them in other php files.
You know, if he's running a linux box, he can provide SSL for free to his clients (it sounds as though he's a host). Any decent Linux distro today that can be downloaded also has SSL. My boss, who was an MS guy for the longest as he didn't know any better, was stunned when I showed him. Besides, if you must send the kind of information he's talking about, don't send it in the clear.You don't need SSL unless you have very high security needs.
Now this one here...
... is a great idea. I wonder why I never thought of it....database link identifier scripts in separate files, in a secure .htaccess protected folder.
Cheers,
BDKR
A deny from all .htaccess file in http://www.mysite.com/folder/ will block direct access like this:how do you keep the include files separate in a secured directory?
http://www.mysite.com/folder/stuff.php
but will allow this:
http://www.mysite.com/nav.php?page=stuff
the file nav.php would include a file depending on the supplied page var - stuff.php in this case
So, your scripts can access a dlid, say, in this folder but no-one can actually open it.
Any files which you DO need to call directly - nav.php in the above example, or a root index.php file if you have one - should be outside the .htaccess tree.