Secure place to store login info and how to login with it

aewarnick

I had an idea to store my login code:
ftp_login...
in a separate file outside of the public_html dir and set full permission (777) to it.

Is that safe?
How do I call this function from inside another file?

function Login()
{
$connection= ftp_connect('ftp.me.com');
return ftp_login($connection, "me", "pass");
}

I was hoping to return connection but I don't know how to send pointers in php.

devinemke

why would you want this file to be set to 777? if you are on a shared server that means that anyone else on the server could potentially read/write to your file. if you want to call the function simply [man]include[/man] the file that contains it.

aewarnick

I edited my post above...And
Other people have access to the folder above public_html?

devinemke

aewarnick wrote:
Other people have access to the folder above public_html?

...other people on the same shared server (potentially, depending on the server configuration).

aewarnick

So are things safer in public_html? I noticed it has no world access.

hadoob024

I guess I have a similar issue. I keep reading that I shouldn't store the login info for accessing my MySQL db in the same script that's executing the commands. Instead, I should create a PHP file outside of the web document tree, place the login info in this file, and then Include the file in the script where I'm handling all my db commands. My question is, should this file be outside the web document tree, or is it good enough to put it outside of the web document root? Thanks!

-tan

aewarnick

I read somewhere today that it is safer to put a file above the public_html dir and give it full access than to give it full access in the public_html dir. I'm confused.

devinemke

the point i was making before is that there is no reason to use 777 in this situation, regardless if whether the file in inside or outside the document root.

hadoob024

I guess that's what I'm trying to figure out too. Is it better to put it in a folder that is 1 level above the public directory? Or is it better to put it in a folder that is a subdirectory of the public directory, and then restricting use using a .htaccess file?

-tan

devinemke

files in a public directory (the document root and below) are exactly that: public. anything you want readable by everyone needs to be in a public directory. there are various server-side methods of keeping only certain people from viewing public documents (htaccess for example). if you have files that you never want to be public then store them elsewhere. you can always use PHP's various file i/o fucntions to works with these files even though they are not public to everyone.

aewarnick

Where would you suggest I put the login file and what access should I give it?

aewarnick

If I put my login file above public_html and set the access so that fread works won't others be able to read the file as well?

hadoob024

How secure is htaccess alone then? The only information I'm trying to protect is the login information for access to the MySQL db. Is then putting this in a sub-directory of the root directory and using htaccess enough?

aewarnick

Where should I put the login file?
What access should I give it?

hadoob024

I'm now putting mine in a directory that's on the same level as my public directory, but not IN my public directory or any sub-tree underneath it. And I'm restricting access to it so that only PHP files can access it. That seems to be the advice I'm getting from everyone.

-tan

aewarnick

Only php files can access it? How is that done and what access level is on the file?

aewarnick

PLEASE, I STILL HAVE NOT RESOLVED THIS.

I placed it above public_html. All I do now is include the file. But I am worried that anyone else can do the same from their site and have lots of fun messing up mine.

Please help.

hadoob024

It's my understanding that you want to put the file that you want to "include" or "require" in a folder that's on the same level as your public html folder, but not IN your public html folder or any sub directory under it.

That's what I did. Then I set up .htaccess on that folder so that no one can just directly access the directory. Then in whatever file where I need to call that information, I just do a

require ("blahblah.php")

And this allows my scripts to access the file, but not anyone else directly.

aewarnick

Quote from a site talking about htaccess:
"You may need to CHMOD the htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser"

Can I just set my login file that I include to 644 and be secure without an htaccess file?