Security with Database password

Anon

Hi,

whenever I have to access mysql, I need these few variables:

$host = "";
$user = "";
$pass = "";
$database"";

my question is that is there anyway for users to gather that information from the php file even if it's hidden by the <? ?> ??

If so, what are the ways to secure it?

Thanks a lot.

brandonschnell

move the include file outsite of the web server document root.

Anon

No one can see anything you right inside your PHP tags that's not sent to text/html (like a print statement or a view_source statement).

The only people that would be able to look at that information are the one's that have access to the server itself, and have privileges to view files in your scripts directory(ies).

Curts

brandonschnell

yes, but the first time php fails to startup your php source code will be unveiled in all of its glory.

place:
<? include("/path/out/of/web/root/"); ?>

and while the users might be able to see where that include file is with your passwords, remote users won't be able to retrieve the file.

but like curts says, local users most likely will be able to see your username/password regardless of what you do. there are some workarounds to these security issues, but you'll need to work with your isp regarding this.

Anon

Thank you for your answers!

Anon

yes, but the first time php fails to startup your php source code will be unveiled in all of its glory.

What do you mean? Are you talking about the webserver starting with an altered httpd.conf file and all the php libraries missing?

I can't imagine that this would be a problem.... but please explain what you mean.

Curts

brandonschnell

for the php source to be hidden, that assumes that everything works correctly, and common sense says this always isn't so.

this is most often an issue during upgrades. for example i upgraded from 4.0.4pl1 to 4.0.5, an error occured, and none of my php scripts were loaded by php till i downgraded back to 4.0.4pl1. a similiar issue occured when i upgraded apache and wasn't fixed until i finished the install and restarted apache. not to mention the possiblity of file corruption, or just other ppl mucking with config files they don't understand.

in general you should assume that anything in your web server document root can at one point be read by end users.

fandelem

actually as a side note, i have seen many web hosting companies have the following setup:

/home/* is there user directories

all these are allowed by anyone who has an account on the system to cd into the /home/user1 for example, but not able to execute a command such as 'ls'. however, here is the clencher: their public_html, or www directory is chmod'd to the point where you can view any file in there (ie cat database_connect.php for their password information, which 99% of the time is their real passwd)

just a precaution.. you should try it on your system to make sure ;o) just go into /home and type ls, pick a user dir, if you can cd in there then you have internal security issues ;o)