PHP/MYSQL Security Question

Anon

I have made a login screnn with a MYSQL Backend using PHP to authenticate.

The Problem I have now is that my file with the Database name, username and password are stored outside of the script in an included file (.inc).

I was told to store that file outside of the root directory so that a clever little user can't navigate directly to that page and get those precious little variables.

I placed the file outside of the root and guess what? It allows me as a user to login and everything- everything seemed fine, BUT when I asked a few of my members to test it out- they got an error stating that the include file could not be found! What do I have to do to hide that file and make it acessible to the script?

Thanks in advance guys (and gals)!

Anon

You can place your include file parallel to your root web directory, but be sure that in Apache or whatever web server you are using, that the .inc extension is being parsed by PHP.

So if an attacker does find the path to your include file, it will be parsed and sensitive data won't be output (supposing you coded your include file securely).

Also, in your php.ini, turn set the Display Errors option to Off, this will prevent remote users from seeing PHP error messages, which typically include the full path to your PHP files and includes.

omegatron

Anon

That was the problem, I changed the filename to .php instead of .inc

Thank you for your help!

Anon

Note that there are still security issues with this solution (and there probably are with all solutions).

For this file to be included() at all, the user 'nobody' (or whatever apache runs as) needs to have read permissions to this file. So if you're in a shared environment, anyone with an account can make a small .php script that opens your file using fopen() and then read the entire contents. Vincent has an article about this;

http://www.hvt-automation.nl/yapf/faq.php?cmd=viewitem&itemid=108