PHP/MySQL password solution

Anon

Hi all,

I wrote in looking for help earlier today, and after talking to one of my friends "IRL", he came up with another idea, which was to hide the connection data in a function eg.

<?php

function php_mysql()
mysql_connect(localhost, user, pass);

Notice it would have the information hardcoded into the fucntion,(not using variables) then have that inside a include file. If you were a little more paranoid perhaps you would also then make the connection info into variables, but in essence would not provide anymore security, perhaps it would lessen making one more file that you have watch.
Anyways the idea is that you would include the the script above before any database interaction.
Still ofcourse having the include away from the main root directory.

[deleted]

How does that help?

If you want to hide the password, you have to make it unreadable to others.

If you put the password into a variable in an include file it is unreadable through HTTP requests, only PHP scripts can access it.
But, the PHP engine could crash, and then the webserver would default back to sending out PHP files as plaintext, revealing the source. That would reveal the name of the includefile, and you could request the includefile directly and you're in.

The only way to prevent this is to put the file that contains the password outside of the documentroot. Then the webserver cannot access it, only PHP can. If the PHP engine crashes, it can't access the file, and if it doesn't crash it will parse the file and thus hide the source.

That leaves ont major security hole: other users on the same server. If they share the same webserver process with you, then they share the same userid for PHP, and they can read all your sources, including the password, wherever it is.

Anon

Do you know where I can get videos of horses mating? Thanks in advance for any replys! His_Gayness

[deleted]

lol nice troll adsl-208-191-214-62.dsl.kscymo.swbell.net