Username / Password for database access

dashifen

Greetings all,

I've been managing a PHP/MySQL website of my own for a while. On that site, I have a php file that is included (with the function of the same name) where database access is required. The file has the basic structure of:

$dbuser = "username";
$dbpass = "password";
$dbname = "database_name";

function runQuery($SQL) {
  global $dbuser, $dbpass, $dbname;
  $db = mysql_connect($dbname, $dbuser, $dbpass) or die(".....");
  // more code here to run the sql statement and return results etc.
}

Since my personal site has nothing that needs to be totally secure, I don't worry too much that my database user and password are right there in a file. Plus, I took the precaution of making the file a .php file so that it can't be displayed in a browser (it'll be parsed first).

Now, however, as a part of my day-job, I'll be porting an existing web/database application to PHP/MySQL. What other precautions, if any, would you all suggest to protect these vital username/password combinations?

tsinka

Hi,

I'd suggest to put that variables into a file outside DOCUMENT_ROOT so it can't be accessed via the browser and to include that file in your scripts.

Thomas

dashifen

Excellent idea. Any other suggestions?

tsinka

Hi,

there are several ways to make your app as secure as possible.
I'd suggest to google around a bit to find e.g. tutorials on ways to secure applications.

http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=479&lngWId=8

Don't only focus on how to secure usernames and passwords.

Just some points:

don't store vital data in cookies (all time favorit: cleartext passwords)
don't store vital data unencrypted in a database
make sure to assign default values to variables
don't use vital data as hidden fields in forms, use sessions instead (if possible) if you need the data on other pages
be sure to prevent SQL injection if using GET or POST data in SQL queries (by e.g. using addslashes or mysql_escape_string if using MySQL)
use $SERVER['variable'], $POST['variable'], $_GET['variable'] and all the other arrays to access superglobal variables instead of just $variable even if register_globals is set to off
many more

Thomas

dashifen

I'd suggest to put that variables into a file outside DOCUMENT_ROOT so it can't be accessed via the browser and to include that file in your scripts.

A question on this: how do I reference this in the include statement? Does it require an absolute path or a relative one or can I use either one. If it's an absolute path, where does it "begin." I know for "normal" web applications document root is simply / (like all roots) so how do I get outside the document root?