php/mysql security question (was Re: [ale] [OT] web hosting (php/mysql/apache) suggestions?)

Robert Coggins ale at cogginsnet.com
Wed Jun 4 10:09:03 EDT 2003


Jenn,

Here is my question.  How can you set the permissions so only me and apache
can read the file with the pw.  Because it seems other people on the server
can see it also.  The problem with me is that I am on a hosting service and
cannot stop others from reading that file without keeping apache from
reading it...

Thanks,
Rob

----- Original Message -----
From: "J.M. Taylor" <jtaylor at onlinea.com>
To: ale at ale.org
To: <ale at ale.org>
Sent: Wednesday, June 04, 2003 10:12 AM
Subject: Re: php/mysql security question (was Re: [ale] [OT] web hosting
(php/mysql/apache) suggestions?)


> Dylan,
>
> This is an interesting issue.
>
> The first thing is that I always put my password file outside the
> web-accessible directory, and include it NOT as a variable.  IE, my
> include statement is include_once('/path/outside/web/config.php').  If you
> use a variable for that path, make 100% sure that you initalize it
> somewhere, that globals are not on, and that you know deep in your heart
> that nobody can pass you a GET, POST, or COOKIE var that will overwrite
> that variable name. Includes can be dangerous creatures.
>
> The second thing is that even tho it's outside the web directory, I make
> it a PHP script.  IE, username, host, password, and database name are all
> variables wrapped in the php open/close tags.  That way if someone *does*
> manage to display it to their browser, they get a blank screen and all
> that happens is your variables get initialized.
>
> That's as safe as you can be and stay sane.  There are other, overkill
> sort of things you can do here, most of which I've tried.  They all have
> their problems and don't increase the security enough to justify the
> headache...in fact most other things just give you a false sense of
> security.  Please if someone on the list has things they've tried that
> don't fall into that category, let me know!! :)
>
> There's no substitue for limiting permissions in your database.  One user
> per application, one config file per application. Use good passwords but
> not  passwords or usernames that have any connection to users on your
> system or even users in your application if they're logging in via the web
> (ie, don't let a web user or, god forbid, a shell user named 'joe' with a
> password of '1n5ekur3' also be a database user with the same username and
> password).  NEVER use your mysql root password in ANY web config thing
> EVER for ANY REASON no matter what worthless crap like phpMyAdmin tells
> you.
>
> I've done this a lot, and I still look for ways to make the setup more
> secure. I'd be interested to see what others do along these lines, this is
> just my best practices from a few years in the field.
>
> HTH
> jenn
>
>
>
> Dylan Northrup said:
> > Here's the situation as I see it:
> > - .php files need to be 644 in order for Apache to be able to read them
> > - I can't make them 640 and chgrp them to the apache group since I'm not
> >   a part of the apache group (and even if I did, other folks in group
> > apache could read my files as well)
> > - The reading of the .php files is important because I have to put my
> > mysql
> >   password in the mysql_connect statement and if someone has my mysql
> > password, they have access to my data.
> >
> > Now, I don't have anything important in there right now, so it's not a
> > big deal, but I'd prefer other people not being able to muck with my
> > data. Anyone else run into this issue?  If so, how did you deal with it?
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list