PHP Password Security 1

[wuz]

I know there are several ways to handle the security issue of keeping database passwords safe from hackers. But which is the best method to use in a shared hosting situation?

Is it better to store the database user name and password in an include file in the home directory, above the public directory, so that they're not accessible from

http://www.yourdomain.com?

That's what I've done in the past, but now I'm not positive that's the best approach. Would it be safer to put them in a directory within the public directory, and password protect it with .htaccess? I'd think either of the above two approaches would make the info available to those on the same server. Or maybe it's just better to include them on the PHP page itself and try to encrypt it? I've heard Zend is good to use, but it's a little pricey for my needs. <g>

Any thoughts on the subject?

Thanks!
Susan

 

[AnakinPt]

The best way is using a one-way function to cifer the password and then store it in the database.

Use md5() function to create a unique string and store this string in the database.

To check it, just md5 the password and compare it with the stored one. Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[mcvdmvs]

i always build an inlude dir above the website dir, in there are files with the extension .inc placed. These are files that cant be run cause they dont end with .php.
Above all there is no access to the user in that dir.
Youre provider has to do his homework and protect youre website dir from other users. If this isnt done correctly dont mind about security, then you cant fix it. Not even with htacces, because that is only webbased protection.
The only right solution is to keep it out of youre website dir and in a special include dir, which is set in de httpd.conf (the include_path). mcvdmvs
-- &quot;It never hurts to help&quot; -- Eek the Cat

 

[AnakinPt]

depends on your code ... i can attack a server if you do not program well, one way is placing:

http://somedomain.com/index.php?file=xpto.inc

if you do not do a basename to the file var, i can access any file in your filesystem ...

that's not a way to protect the code. Your coding is the only thing that can protect you. Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[mcvdmvs]

Ofcourse. I did say that the server has to be secure. Then you can make your files secure. And that is also good programming. When you allow people to see that you include files through the get method, i would not call that good programming.
But if i do the following in the beginning of the script:

include('certain_include_file.inc');

Your trick wont work. And you wouldnt be able to see my code, unless I echo the vars in the include file, or i dont debug and protect my code too well expessially when my code fails.
One way is to set usernames, passwords and database names in constants. And always put the @ in front of db functions. mcvdmvs
-- &quot;It never hurts to help&quot; -- Eek the Cat

 

[Hokey]

Probably the safest way to store any code (especially ones with passwords) is to use Zend Encoder to encode your scripts making it impossible for anyone to read them. Some people think that Encoder is pricey ($1000/year or $2400/life), but I figure it is a small price to pay for a very strong security measure.

Plus if you develop web applications for clients, it is a small insurance that your client isn’t going to give your source code to your competitors when they want to add features. Before I started using Zend Encoder, I had a client give my entire source code, representing hundreds of hours, for an application to a competing web firm because the other firm said they could add extra features for less then what I was charging. A few months later I start to see a very familiar application as a demo on my competitors site …. Now I encode ALL my scripts before giving them to the clients. I do database password changes in the code for free.