/    Sign up×
Community /Pin to ProfileBookmark

PHP+MySQL Security for CMS

Copy linkTweet thisAlerts:
Apr 20.2004

This is probably quite a trivial question for anyone massively up on their security, but we’re having a bit of a ‘mare here trying to come up with a sensible solution.

We’ve got a CMS that has a central database that stores all of the core CMS data, then a separate database for each client that contains tables such as page, events, news and the like.

In the pursuit of security we have a cms MySQL user that is only allowed to manipulate the central database, and a user set up for each of the individual client databases (which are obviously only allowed to view and edit their own database).

Now, when a new user builds their site using the system, a database is dynamically created for them, and a user is created for them so that their log-in can access said database.

Cutting to the chase: The database has to be created and the privileges granted by a user with rights to do these actions. Where is it best to store the login information for this super-user as to provide the utmost security? Sticking it straight in the PHP code is obviously a bad idea!

to post a comment
PHP

3 Comments(s)

Copy linkTweet thisAlerts:
@JonathanApr 26.2004 — Actually, storing it in the PHP coding is not that bad if you are smart about it...

If you store it in the php page then try:

[code=php]
<?php
$password = crypt("My1sTpassword"); // let salt be generated

# You should pass the entire results of crypt() as the salt for comparing a
# password, to avoid problems when different hashing algorithms are used. (As
# it says above, standard DES-based password hashing uses a 2-character salt,
# but MD5-based hashing uses 12.)
if (crypt($user_input, $password) == $password) {
echo "Password verified!";
}
?>
[/code]

EDIT: You can do the crypt funtion ahead of time on your PC just to get a code, then just add it to the user crypted input and compare...
Copy linkTweet thisAlerts:
@GeatauthorApr 27.2004 — That's pretty good thanks mate.

The way I ended up going about it was to include the password, username and connection setup in a PHP script that's outside of the web root directory, so if the web directory is

/mydrive/afolder/web/mysite

I store the connection code in

/mydrive/somewhereelse/passwords/

Giving the file a name preceeded with a "." adds a little extra security, as some FTP clients may not see it, e.g:

.connectdb.inc.php

Pretty secure, all in all.
Copy linkTweet thisAlerts:
@violent_jApr 27.2004 — personnaly, i'd use system shell script (bash) to accomplish this

i'd write a very simple text file somewhere (using PHP), which only contains necessary data to create the database and the mysql user

than writing a shell script, which runs every minute (through cronjob), and checks for the file you wrote with PHP, if he finds any data in it, create the database with super-user account defined in the shell script

grtz
×

Success!

Help @Geat spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...