Database Username & Pass security

jamesflynn

This may sound like a stupid question. But I know that when passed through an html browser all php coded is parsed to html.

But what if someone uses one of the download managers to download the PHP file is it still parsed without going through a web browser?

Thanks in advance,
James

chads2k2

If you are paraniod then hold all the information in a session variable and then that way the only one who could "sift" through it would be root on the server. Which that would also be related to the time which the session was made. Yes it does go through POST/GET to get to the session but it wouldn't leave the page w/o creating a session. I am sure there are other ways of protecting against this and it will be interesting to hear what others have to say about this.

jamesflynn

Thanks for your input. Yes I am paranoid. I'm still curious to see what other poeple have to say. Does anyone no if theres a way for someone to get the nonparsed php code that would contain the db password info?

laserlight

a download manager would probably download the parsed PHP script.

Your PHP code would be visible, however, if for some reason PHP failed to parse the script.

drawmack

It would depend on how the download manager connects to the site.

If the download manager connects via http then the server will execute the php. If the download manager connects via ftp then the server will not execute the script and the person gets your php.

The fix is rather simple, disallow annonymous ftp access to any folder that contains php. Since I store everything (images, files for download, etc) in the database I disallow annonymous ftp to the entire site.

tomhath

The Search button is your friend:

http://www.phpbuilder.com/board/showthread.php?threadid=10230797&highlight=password+AND+paranoid+AND+directory

synergypoint

The best method I have found for protecting passwords stored in a php file is to protect the directory using .htaccess.

I create a folder called /include and I put all of the scripts that contain sensitive info in them there. For example I put all of my database connection scripts and ftp connection scripts that contain passwords in that folder. I don't put any file that I don't want to access through a php include statement in that directory though.

Then I create a .htaccess file as follows:

<Files ~ *>
Order allow,deny
Deny from all
Satisfy All
</Files>

This prevents any file in that directory from being executed or read from a web browser. The files can be included in another script though using PHP and will work fine. If PHP fails on your server, you don't run the risk of the passwords being exposed because the script that calls them through an include wouldn't function either.

If you want to only "hide" certain files in that directory replace the with the pattern to match. (i.e. .inc would hide any file ending in .inc).

Hope this helps.

axo

yeah, i also work like synergypoint says and it seems quite safe... i don't know if some DoS beating down the entire server would cause the failing of the .htaccess file, but i don't think so....