safely storing primary password

billo

To access MySQL tables I have a user ID & password assigned by my web host service. This is the same ID & pwd they issued for managing the primary site (for FTP etc.). In other words, it is v important I keep them secure!

I want to make a table available for a 3rd party to use, but I do not want to give them my ID & pwd.

I read a tutorial which suggested I save them as variables in a file called "common.inc". It works, but I found I can download that file on any PC as a text file!

I changed the file extension to "common.php" so it now downloads with blank contents.

Is this a safe way to store the primary db password (ie in "common.php") or is there a better way?
TIA billo.

PHPdev

First I would try to get your ISP to generate another login for your database. If this is not an option, then it all depends on what type of ACCESS you want to give to your third party... Are they just building a web application for your site.. then you could give them a file which has variables needed to connect to the db... but if they are working on your server then they will need the FTP info anyway.

Another option is to just give the the u/p, have them sign a contract stating they will keep their business to their project, then have your ISP change it afterwards.

There are many different ways to address this security issue, just depends on how you feel about each...

PHPdev

billo

thanks. the 3rd party is not doing any development work - they will be a "user" of the database, adding and delting entries in the table. aksing them to sign a non disclosure won't give me the level of comfort I'm looking for - the user is a novice and may, without meaning to, make the u/p available to others. others, who could then ftp to the server and cause all kinds of problems.
I did ask the web host svc provider if they would create another ID but they won't. So I'm stuck with having to find a way to securly store my u/p somewhere to enable my 3rd party user access. any further thoughts?

PHPdev

so your third party is just going to use an application to add and rem entries from the db... How are they going to acces the db? via odbc on another computer? MyPHPAdmin? or web interface someone else has built?

What most people do is to put the db connection file or just the db settings in another folder generally outside the website, with world read access. Giving the file a PHP or PHPX (where X is 3 or 4) extension should not allow them to see the source of the file. Because when the web server encouters a file with said extensions, it will parse the file for PHP code. Such that you dont have any errors, or echo/print statements in the file is will always come up blank.

PHPdev

billo

Yes, I am the site builder and I want to make it available to select others so they can add/del entries in the table. They will do all of this via the site I am developing.
It is the word "should" in your comment "Giving the file a PHP or PHPX (where X is 3 or 4) extension should not allow them to see the source of the file" that was my original concern and the reason I posted here.
I have the u/p and other variables already stored in a file called "common.php" and, just like you said, it returns a blank file if you access it via a browser. I am just worried that others, who know better, will find a way to download the file without parsing and thus read its contents. Is that impossible and therefore this is a safe method, or is there a risk? If there's a risk, what's the safest way to manage it?
thanks

PHPdev

There is always some minor risk with any file being world read, you could always set the user, group to = the user/group of the web server, but that is not going to do any good.

At the present time, there are no bugs, or attacks that will stop apache from processing a PHP or PHPX file.

I know some people mention putting the file in the CGI-BIN directory outside your website, I think there is generally an .htaccess file in said directory that denys all requests for files in the CGI-BIN directory. Thus adds a second layer of protection to the file.

The reason I used "SHOULD" before is because if your ISP ever changes something with the APACHE server to not process the PHP or PHPX extentions, then yes the file can be displayed in plain text (as you have already seen)

You could always create an .htaccess file, which denies access to any file with extension INC, or specificly for your common.inc, or common.php

This is what I have been able to find from my research about 1 month old. I had the same questions you do now....

PHPdev

billo

thanks for your help - I'll leave it as is for now (as a dot php file) since the risk is minor that someone could get at its contents.
I will also question my web host svc about the other options you mention in case they have a preferred method. After all, it is no doubt also in their interest that I prevent others from getting at my u/p.
thanks again.

bastien

grant prvilidges on the mysql db...then use the control panel supplied to add new users to the db...

set up several:
1. for admin users - day to day site ops...not too much access
2. development access - for developers - full access
3. web access - guest - any random users - very few privildges (select, insert (into certain tables) and update, no delete, drop etc)

otherwise you are left to creating your own table, managing the users yourself with extra check in the pages to prevent users from asking for new tables or adding data depending on access granted.

hth