mySQL connection username/password

adavis

I am new to mySQL and PHP, but have been designing web pages and writing a little perl code for a while. I am getting ready to write my first real database application. All of my books show the username/password hard coded into the php code.

Security wise, is this a good idea? What is the best way to handle this? Shoud the username/password be encrypted in some way and stored in a flat file? If so, what extension and permissions should this file have? Maybe read only, either 644 or 444? This site is hosted on a UNIX server.

Even though the data I'll be storing is not sensitive information (mainly sports schdules/scores, team rosters, and school events), I don't want some hot-shot student (or any other hacker, for that matter) hacking in and messing up my data. I don't understand the security issues very well, other than the fact that I may be more paronoid than I need to be, i.e. I don't understand how access is to my htdocs/cgi-bin files works. I assume that if someone can log on to my site with ws-ftp (like they figured out my username/password), then they can do anything they want, but beyond that, is there any way that a programmer can reasonably defend to keep hackers out of their site/code???

Thanks,
Alisa
🙂

essexboyracer

put your config file, containing passwords outside of the /public_html/ folder. i.e. not web accessible.

oli

adavis

So..., put the config file which contains username/password in the cgi-bin or create a new folder at that same level or within the cgi-bin. Data structure for my server is:

cgi-bin
htdocs

I am assuming that the htdocs is the /public_html/ folder you were talking about.

Also, do you generally encrypt the username and/or password before writing them to this config file?

Thanks,
Alisa

dannys

Yeah, I store files like these in a folder called private which is at the same level as the cgi-bin and htdocs and is therefore inaccessable from the front, website, end.

You can't really encrypt the username and password info as MySQL wouldn't be able read them!

netmastan

What about if u chmod(666) the file ?

adavis

666 would work too. It's just that no one needs to write to the file except me. If I need to change my username/password, I will just go in there, change the info and ftp it back in. I don't think I'll take the time to write a utility to change it, since I'm the admin for this site and no one else at the school would even have a clue about this stuff. My plan for the username/password flat file stored in a folder called private at the same level as cgi-bin and htdocs will look like this:

[FONT=courier new]line 1: username[/FONT]
[FONT=courier new]line 2: password[/FONT]

Then I'll just open and read to get them to connect to the database.

If my thinking on this is flawed in any way, PLEASE let me know.

Thanks,
Alisa