Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

security with PHP 1

Status
Not open for further replies.
mufka

mufka

ISP
Dec 18, 2000
587
0
0
US
I've got some PHP scripts that are accessing a MySQL database. I have a file that defines all of the connection variables and the scripts include that file. Is there any danger that the file could be included/read from a remote server and allow someone to get the connection info? Is there a better way to do this? Do file permissions matter?

Thanks
 
Sort by date Sort by votes
Hi

mufka said:
Is there any danger that the file could be included/read from a remote server and allow someone to get the connection info?
Click to expand...
Yes, but usually that happens through the web server, so if the file containing the settings in also a PHP file, not its content but its output will be reached. So just pay attention to not produce relevant output in the configuration file.
mufka said:
Is there a better way to do this?
Click to expand...
No, but you can add a twist by storing the configuration file out from the document root of the web server. That makes the attacker's job more difficult.
mufka said:
Do file permissions matter?
Click to expand...
No, because usually the cracker will request it as the same user as the web server does. But is always a good idea to limit the access to as few users as possible. For more on this you have to tell us the operating system's and web server's name.

Feherke.
 
Upvote 0 Downvote
I would agree with feherke. IMO the best thing to do is store the config file outside the document root, this will prevent the file being accessed through any normal browser request.

Another security measure which seems to be over looked when dealing with db connections is the permissions of the MySQL user. Create a user (in MySQL) that only has access to what is needed. If you will just be selecting data out of the db, create a user with only select permissions and only on the tables needed. Do not use a generic user which has almost all the same privileges as root. MySQL allows almost granular control over user privileges make use the these.

-- -- -- -- -- --

If you give someone a program, you will frustrate them for a day
but if you teach them how to program, you will frustrate them for a lifetime.
 
Upvote 0 Downvote
It hadn't even occurred to me to use a SELECT only user for the queries. I'll do that. One question that I have is how do I reference a config file that is out of the document root from within a script? Do I use ../../config.php or the full *nix path?

Thanks
 
Upvote 0 Downvote
Personally, I have always used an absolute path when dealing with files outside the document root but that is just a personal preference either will work and I don't really see any major difference; especially from a security aspect.

If you give someone a program, you will frustrate them for a day
but if you teach them how to program, you will frustrate them for a lifetime.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
114
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
105
PeDa
PeDa
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
118
vishvajit
vishvajit
Wand850
  • Locked
  • Question
Parsing XML with multiple namespaces using PHP
Replies
3
Views
95
spamjim
spamjim
lflynnlrf
  • Locked
  • Question
wordpress/ shortcode/ PHP duplicating code
Replies
1
Views
66
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top