Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

security with PHP 1

Status
Not open for further replies.
mufka

mufka

ISP
Joined
Dec 18, 2000
Messages
587
Location
US
I've got some PHP scripts that are accessing a MySQL database. I have a file that defines all of the connection variables and the scripts include that file. Is there any danger that the file could be included/read from a remote server and allow someone to get the connection info? Is there a better way to do this? Do file permissions matter?

Thanks
 
Sort by date Sort by votes
Hi

mufka said:
Is there any danger that the file could be included/read from a remote server and allow someone to get the connection info?
Click to expand...
Yes, but usually that happens through the web server, so if the file containing the settings in also a PHP file, not its content but its output will be reached. So just pay attention to not produce relevant output in the configuration file.
mufka said:
Is there a better way to do this?
Click to expand...
No, but you can add a twist by storing the configuration file out from the document root of the web server. That makes the attacker's job more difficult.
mufka said:
Do file permissions matter?
Click to expand...
No, because usually the cracker will request it as the same user as the web server does. But is always a good idea to limit the access to as few users as possible. For more on this you have to tell us the operating system's and web server's name.

Feherke.
 
Upvote 0 Downvote
I would agree with feherke. IMO the best thing to do is store the config file outside the document root, this will prevent the file being accessed through any normal browser request.

Another security measure which seems to be over looked when dealing with db connections is the permissions of the MySQL user. Create a user (in MySQL) that only has access to what is needed. If you will just be selecting data out of the db, create a user with only select permissions and only on the tables needed. Do not use a generic user which has almost all the same privileges as root. MySQL allows almost granular control over user privileges make use the these.

-- -- -- -- -- --

If you give someone a program, you will frustrate them for a day
but if you teach them how to program, you will frustrate them for a lifetime.
 
Upvote 0 Downvote
It hadn't even occurred to me to use a SELECT only user for the queries. I'll do that. One question that I have is how do I reference a config file that is out of the document root from within a script? Do I use ../../config.php or the full *nix path?

Thanks
 
Upvote 0 Downvote
Personally, I have always used an absolute path when dealing with files outside the document root but that is just a personal preference either will work and I don't really see any major difference; especially from a security aspect.

If you give someone a program, you will frustrate them for a day
but if you teach them how to program, you will frustrate them for a lifetime.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cdlvj
  • Locked
  • Question Question
PHP Debugging
Replies
1
Views
738
cdlvj
cdlvj
W
  • Locked
  • Question Question
how to send checked row data in php
Replies
0
Views
611
wiltang2004
W
SashaBuilder3
  • Locked
  • Question Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
1K
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question Question
Unwanted spaces in php HTML mail
Replies
4
Views
698
PeDa
PeDa
Mandy_crw
  • Locked
  • Question Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
856
vishvajit
vishvajit

Part and Inventory Search

Sponsor

Back
Top