Server password exposed?

Anon

My webpage is hosted by an outside source. I have just begun to set up my php pages and Mysql backend.

When someone first starts a session, I have a php page that has my userid and password that opens access to my Mysql tables (of course). I have a default index.htm page in the directory so if only the directory name is typed it goes to that page.

I think my php page with my username and password is protected but I would like to know what are some security percautions I need to take to ensure the privacy of that information. Even knowing some hacking techniques so I can test it out would be very helpful.

I am new to the world of security.

Thanks,
Andy

kailien

include or require could be used to cover your sensitive info.

store a config file with all your sensitive info not in the web tree. then include or require that file in your php script.

since it is not in the web tree, it is less likely to be hacked / seen / etc.

bretticus

Of course if somebody can get your server to display php code they'll see the path in your include/require and know where it is anyway, but it is a good idea to do so so that you do not have to rewrite the code ach time. For example I have a include file:

<?
$mysql_host="host";
$mysql_user="username";
$mysql_pwd="passwd";
$mysql_db="current_db";

$conn = mysql_connect($mysql_host,$mysql_user,$mysql_pwd)
or die ("Could Not Connect to Database!");
?>

That stores the connection variables and makes the connection that I just include on each script that needs access. The benefit to this is that I can give a client ftp access to their virtual folder and not to the folder where the db include file is stored. That way even if somebody gets into their folder they don't get the db info.

kailien

we are saying the same thing, but i want to stress that you can put the config file NOT (i repeat NOT) in the web root tree. thus, even thought they know where the config file is located based on the path, they do not have access to that file.

another trick is to add additional include path to the php.ini file. or you could do it in .htaccess. thus, it would make harder for them to find the exact location of the include file.

lastly, you could try some of the encrypted / compiled php engines.