protect the username and password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
hakiki_dolphin
Forum Newbie
Posts: 9
Joined: Thu Jan 30, 2003 3:00 pm

protect the username and password

Post by hakiki_dolphin »

Hi,

// CONNECT TO THE DB SERVER
$mysql_link = mysql_connect("localhost", "root", "") or die
('<p>TRY AGAIN!');

// SELECT THE DB
mysql_select_db ("db_name", $mysql_link);

I use these codes in the page that the internet users can see the database access username

and password. So I must protect these. How can I do this effectively? And I must protect

the mysql databases in my hosting area. Are there any solution for this problem?
If you can help me, I will be very happy.
Sincerely.
Ahmet Kara

ahmet_k_2002@yahoo.com
RedDragon
Forum Newbie
Posts: 7
Joined: Wed Feb 19, 2003 3:16 pm
Contact:

Post by RedDragon »

your users cant see your php code as it is parsed b4 send to the client
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Post by BDKR »

Hi there,

Ahmet, please tell me you are pumping this information through an SSL. 8O Wny does the user need to see his or her password? If I wanted to get someones password, why couldn't I just say 'Hey, I lost my password!" when indeed, I'm someone else? If a user looses, or more correctly, forgets a password, automagically generate a pass and send it to him via an email address.

As for protecting your db...

1) Use a nonstandard port. Keep 'em guessing!
2) Use a firewall! Why let 'em in in the first place?
3) Don't allow connections from anywhere other than the web server.
4) If the web and db server is on the same box ( :evil: ) , use the mysql.sock and allow
no outside tcp/ip connections.

Can't think of anything else...

Cheers,
BDKR
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Never connect to the database server as root user with no password. ANYBODY can do the same.

Create a name & pass for your root, "superuser" in the mysql users table.

For your php application, create another mysql user with only the minimum privileges required for ordinary site visitors. Use this info in your php scripts to connect to the database.

You may also want an admin level user, so create another user with extra privileges but DO NOT use the superuser! Never allow connection to a mysql database with all privileges from anywhere within a php website, unless you really have to (ie your scripts require all privileges to run).

You don't need SSL unless you have very high security needs.

Finally, put the database link identifier scripts in separate files, in a secure .htaccess protected folder. Include these scripts whenever you need them in other php files.
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Post by BDKR »

You don't need SSL unless you have very high security needs.
You know, if he's running a linux box, he can provide SSL for free to his clients (it sounds as though he's a host). Any decent Linux distro today that can be downloaded also has SSL. My boss, who was an MS guy for the longest as he didn't know any better, was stunned when I showed him. Besides, if you must send the kind of information he's talking about, don't send it in the clear.

Now this one here...
...database link identifier scripts in separate files, in a secure .htaccess protected folder.
... is a great idea. I wonder why I never thought of it. :roll:

Cheers,
BDKR
mindows
Forum Newbie
Posts: 1
Joined: Tue Feb 25, 2003 1:26 pm

Post by mindows »

McGruff wrote:...
Finally, put the database link identifier scripts in separate files, in a secure .htaccess protected folder. Include these scripts whenever you need them in other php files.
how do you keep the include files separate in a secured directory?
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

how do you keep the include files separate in a secured directory?
A deny from all .htaccess file in http://www.mysite.com/folder/ will block direct access like this:

http://www.mysite.com/folder/stuff.php

but will allow this:

http://www.mysite.com/nav.php?page=stuff
the file nav.php would include a file depending on the supplied page var - stuff.php in this case

So, your scripts can access a dlid, say, in this folder but no-one can actually open it.

Any files which you DO need to call directly - nav.php in the above example, or a root index.php file if you have one - should be outside the .htaccess tree.
Post Reply