Re: [PHP] How secure is this? From: Richard Lynch (richard <email protected>)
Date: 12/29/00

You can't make your database username/password completely unreadable to
everybody, but still give everybody access to the database online.

There are a couple things to do to reduce exposure/risk.

Put the username/password and mysql_connect() into its own separate file.
*Move* that file *outside* the web-tree -- To your home directory.
Alter your include_path to have your home directory in it.
Make the file readable by the PHP user.

So now, you have at least made it so only people who can log in to the same
machine can read the file, not everybody who can surf the web.

Also, if you can identify broad classes of users into: read-only,
insert/update, delete and build separate pages/sites for the different
activities, do so, and create different mysql users for each class.

You can then put the insert/delete people on a secure server, which
presumably has only a few people able to log in, and have the masses only
able to *read* all your data, not write it.

Similarly, you can perhaps also break your database down into tables that
*everybody* can read/write, and tables that only select individuals can
read/write.

The idea is to segregate your users and data into the stuff you care about
and the stuff you don't sweat so much to make it more managable.

If you *really* need high security, you can put everything on an SSL server
with only you able to log into it.

Also, for higher security, you can put the database on a separate box with a
separate network card to the web-server, and only allow the database to be
accessed through that one card -- which is not exposed directly to the
Internet in any way.

Obviously, how much of this you want to do depends on how secure you need
the data to be...

There are long threads in the archives about this.

----- Original Message -----
From: "Sefton" <c.sefton <email protected>>
Newsgroups: php.general
Sent: Friday, December 29, 2000 4:22 PM
Subject: [PHP] How secure is this?

> I have setup a page that accesses mysql. The page has to included the
> account login name and password to access the mysql database.
> Example...
>
> <?php
> $user = "username"; file://actual username goes here
> $pass = "password"; file://actual password goes here
>
> $db = mysql_connect("localhost", $user, $pass)OR DIE("Unable to
connect
> to database");
> ?>
>
> If you get the idea.
>
> My concern is what if somebody can get to the source code. It could ruin
me.
> I realise the php is a server side language, but is there any way that
> somebody could read this. If so how do i stop it? or is there another way
to
> store my username & password that cannot be read.
>
> Please help
>
> Thanks
>
> Chris
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: php-general-unsubscribe <email protected>
> For additional commands, e-mail: php-general-help <email protected>
> To contact the list administrators, e-mail: php-list-admin <email protected>
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: php-general-unsubscribe <email protected>
For additional commands, e-mail: php-general-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>