/    Sign up×
Community /Pin to ProfileBookmark

Database Security

Copy linkTweet thisAlerts:
Jan 14.2007

I have a file that contains all the database connection information, how could I hide that in a safe place and only allow files within a certain folder to have access, and no sub folders unless I specify which ones.

I’m allowing people to upload files, such as php, and if they find out the name and location of the file, they could possibly get the contents of the file and hack my database. by reading in the file using fopen()

the database info:

[code=php]<?php
$dbHost = “localhost”; //Location Of Database usually its localhost
$dbUser = “xxxxx”; //Database User Name
$dbPass = “xxxxx”; //Database Password
$dbDatabase = “file_host”; //Database Name

$db = mysql_connect(“$dbHost”, “$dbUser”, “$dbPass”) or die (“Error connecting to database.”);
mysql_select_db(“$dbDatabase”, $db) or die (“Couldn’t select the database.”);
?>[/code]

One way of how I use it:

[code=php]<?php
include”db.php”;
$sql = mysql_query(“SELECT * FROM users WHERE id='{$_SESSION[‘id’]}'”)or die(mysql_error());
$row = mysql_fetch_array($sql);
?>[/code]

to post a comment
PHP

11 Comments(s)

Copy linkTweet thisAlerts:
@SheldonJan 14.2007 — like this
[code=php]<?php

if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) send_404();

$dbHost = "localhost"; //Location Of Database usually its localhost
$dbUser = "xxxxx"; //Database User Name
$dbPass = "xxxxx"; //Database Password
$dbDatabase = "file_host"; //Database Name

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

function send_404()
{
header('HTTP/1.x 404 Not Found');
print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'."n".
'<html><head>'."n".
'<title>404 Not Found</title>'."n".
'</head><body>'."n".
'<h1>Not Found</h1>'."n".
'<p>The requested URL '.
str_replace(strstr($_SERVER['REQUEST_URI'], '?'), '', $_SERVER['REQUEST_URI']).
' was not found on this server.</p>'."n".
'</body></html>'."n";
exit;
}

?>[/code]
Copy linkTweet thisAlerts:
@The_Little_GuyauthorJan 14.2007 — Thanks, I think that works!
Copy linkTweet thisAlerts:
@bokehJan 14.2007 — The trouble with storing MySQL connect details in a file is that the webserver has access to them (meaning so does everyone else that shares the server). Much better would be to store them in the local environment.
Copy linkTweet thisAlerts:
@blade52xJan 14.2007 — Can you just a chmod a folder and stick it in there? Because I have the same question as well.
Copy linkTweet thisAlerts:
@bokehJan 14.2007 — Can you just a chmod a folder and stick it in there? Because I have the same question as well.[/QUOTE]No, because if the webserver can read it so can everybody else. And if the webserver can't read it the connection will be impossible.
Copy linkTweet thisAlerts:
@MrCoderJan 14.2007 — like this
[code=php]<?php

if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) send_404();

$dbHost = "localhost"; //Location Of Database usually its localhost
$dbUser = "xxxxx"; //Database User Name
$dbPass = "xxxxx"; //Database Password
$dbDatabase = "file_host"; //Database Name

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

function send_404()
{
header('HTTP/1.x 404 Not Found');
print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'."n".
'<html><head>'."n".
'<title>404 Not Found</title>'."n".
'</head><body>'."n".
'<h1>Not Found</h1>'."n".
'<p>The requested URL '.
str_replace(strstr($_SERVER['REQUEST_URI'], '?'), '', $_SERVER['REQUEST_URI']).
' was not found on this server.</p>'."n".
'</body></html>'."n";
exit;
}

?>[/code][/QUOTE]

How does that stop somebody reading the file with fopen?
Copy linkTweet thisAlerts:
@blade52xJan 14.2007 — How exactly would someone get into a mysql database even if they had the information?

Let's just say someone does have your information. How would they even be able to load your databases from the outside?
Copy linkTweet thisAlerts:
@bokehJan 14.2007 — How does that stop somebody reading the file with fopen?[/QUOTE]It doesn't. The purpose of that code is to stealth the file if it is in a publicly accessible directory. How would they even be able to load your databases from the outside?[/QUOTE]This thread is examining comprimises from the inside not the outside. On a shared server this is the weak link.
Copy linkTweet thisAlerts:
@The_Little_GuyauthorJan 14.2007 — So, how exactly should I do this? If Sheldon's code works, and you say to store the file in a local environment, where would that be?
Copy linkTweet thisAlerts:
@bokehJan 14.2007 — Loading them into the environment is done from the vhost. Then you access them from $_ENV. That way they are not accessible by other users of the webserver.
Copy linkTweet thisAlerts:
@The_Little_GuyauthorJan 14.2007 — ohhh... OK... You lost me.
×

Success!

Help @The_Little_Guy spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...