/    Sign up×
Community /Pin to ProfileBookmark

database security

Copy linkTweet thisAlerts:
Oct 27.2006

I’ve been working on something that is just going to be used internally, so to make things easier I’ve been passing the database connection info (username, password, etc) to a session and just calling the session variables on each php page, but I want to change that since it’s probably a bad practice to get into since it’s info that a user would be able to view if they knew what to look for.

How do you normally hide this info?

also what software are you guys using for php development, I’ve been using Dev-PHP IDE I found on sourceforge but was curious what else was decent.

to post a comment
PHP

14 Comments(s)

Copy linkTweet thisAlerts:
@AmazingAntOct 27.2006 — Another decent program for PHP development is Notepad. The only restrictions it has are your own mental limits of learning the code.

As to how you are doing that, you could put the connection info into a php file. Type it up like this:
[code=php]
<?php
$username = "text";
$password = "more text";
$etc = "ect......";
?>
[/code]
Save that as something like "example.php" and then use include("example.php"); in your page. That way the script is going to the example file and getting the variables, but it's not stored in a file where a client can get to the text.

Not sure if that's what you're looking for, but there's one idea.
Copy linkTweet thisAlerts:
@bokehOct 27.2006 — Another decent program for PHP development is Notepad.[/QUOTE]Are you serious? At least use something with syntax highlighting.

http://www.webdeveloper.com/forum/showthread.php?t=113793

http://www.webdeveloper.com/forum/showpost.php?p=525032&postcount=4

http://www.webdeveloper.com/forum/showthread.php?t=59394
Copy linkTweet thisAlerts:
@carlhauthorOct 27.2006 — Another decent program for PHP development is Notepad. The only restrictions it has are your own mental limits of learning the code.[/QUOTE]

sure, but it's a pain without coloring and bracket highlighting and all that though. Wasn't looking for something that writes the code for me, just seeing what other options people are using


Not sure if that's what you're looking for, but there's one idea.[/QUOTE]

That makes sense, I just am beginning to go through my code thinking about security when I should have been doing that in the first place ?
Copy linkTweet thisAlerts:
@AmazingAntOct 27.2006 — True, syntax highlighting is a good thing. Notepad was just a suggestion. I use this freebie: http://www.flos-freeware.ch/notepad2.html

It's a pretty small program, (like the original Notepad), it's got the syntax highlighting I got it for, and it requires no installation. Plus it puts in line numbers, which isn't a bad thing either.

And yes Bokeh, I'm serious. I've used regular notepad for all my coding for years until I got tired of seeing the PHP and HTML tags in these posts, so I found myself that program.
Copy linkTweet thisAlerts:
@netbuddyOct 27.2006 — Are you serious? At least use something with syntax highlighting.

http://www.webdeveloper.com/forum/showthread.php?t=113793

http://www.webdeveloper.com/forum/showpost.php?p=525032&postcount=4

http://www.webdeveloper.com/forum/showthread.php?t=59394[/QUOTE]

Duhh.... I think he means [URL=http://notepad-plus.sourceforge.net/uk/download.php]Notepad++[/URL] which covers many formats and languages with highlighting...
Copy linkTweet thisAlerts:
@AmazingAntOct 27.2006 — Actually I didn't, but there's another program suggestion for you carlh
Copy linkTweet thisAlerts:
@netbuddyOct 27.2006 — Ok, I'll get my hat 'n coat..... :o
Copy linkTweet thisAlerts:
@LuboxOct 28.2006 — I'm using Zend Studio and it's really good....
Copy linkTweet thisAlerts:
@chazzyOct 28.2006 — I've used PHP IDE for Eclipse, just because i've been using eclipse for everything lately.


since it's info that a user would be able to view if they knew what to look for.
[/quote]

I have no idea why you have that idea. PHP code is run before anything is sent to the browser (or at least half and half) but PHP code is never sent to the browser.

Sessions are ok for username/password to the database. You could also use an OO approach and instantiate an object each time. Other methods include using includes, requires, require_onces.
Copy linkTweet thisAlerts:
@NogDogOct 28.2006 — As far as DB connection data, I normally put it into an include file. That include file is saved outside of the web-accessible directory tree (e.g.: if my web document root directory is /home/nogdog/public_html/, then I might save it in a /home/nogdog/include/ directory). Then just add that directory to your include_path (either in php.ini or a .htaccess file) and include/require that file when you need to set your database connection values.

The include file might look something like:
[code=php]
<?php
define('DB_HOST', 'localhost');
define('DB_USER', 'abcd1234');
define('DB_PWD', 'Ab12Cd34');
define('DB_NAME', 'my_database');
?>
[/code]
Then in your script:
[code=php]
<?php
require_once "my_include_file.php";
$connx = mysql_connect(DB_HOST, DB_USER, DB_PWD) or die("DB connection error");
mysql_select_db(DB_NAME) or die("DB select: ".mysql_error());
?>
[/code]
Also, note that the database user you specify should only have just enough permissions to do what needs to be done in your script. For instance, you may want to only give it select, insert, and update permissions limited to specific tables.
Copy linkTweet thisAlerts:
@bokehOct 28.2006 — That include file is saved outside of the web-accessible directory tree[/QUOTE]Why?
Copy linkTweet thisAlerts:
@NogDogOct 28.2006 — Why?[/QUOTE]
It's just one more layer in the onion called security. It [b]might[/b] make it a bit harder for a robot or script kiddie to find it, and doesn't cost me anything extra to do, so why not?
Copy linkTweet thisAlerts:
@bokehOct 28.2006 — Recently I worked on a site where root didn't have a parent directory that could be accessed from FTP. In this instance I made the directory where all the private stuff is kept send a 404. As far as increased security the only time I could see a benefit from using a descendant directory would be if something went away in the server and the file was then accessible un-parsed. As far as security goes even having that file in a descendant directory on a shared server is not very secure. For the webserver to read it it would need to be at least 644 which mean every other user on that server would also be able to read it or include it for use in any of their scripts.
Copy linkTweet thisAlerts:
@NogDogOct 28.2006 — Which is a good reason not to use a shared server if you're going to store truly sensitive information.
×

Success!

Help @carlh spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...