This issue seems to be a huge issue, and I've been looking for a good solution for quite a long time. My concern is that a shell emulating PHP or Perl script run as Apache can read or copy ANY PHP script used with PHP as an Apache module.
I setup Apache SuExe on my server, and use it with Perl, and optionally PHP. I don't want to make CGI based PHP the default, because running PHP as a CGI slows it down a bit, but more importantly, limits a few functions. I was reading the PHP site, and found an interesting idea at http://us3.php.net/manual/en/function.mysql-connect.php in the user notes. ------------------------------------------------- Another solution to the security problems of putting usernames and passwords into scripts. I haven't found this documented anywhere else so thought I'd suggest it for the online documentation. ........ Don't put passwords for mysql into scripts which may be read by any user on the machine. Instead put them into an Apache configuration file and make sure that it is not world-readable. (Apache reads its main config files as root.) For example, add this to your httpd.conf (and chmod it to 600 or 660) then tell your apache to reload itself (apachectl graceful). <Directory /var/www/html/mydatabase> php_value mysql.default_user fred php_value mysql.default_password secret php_value mysql.default_host server.example.com </Directory> Then all you need in your PHP code is $handle = mysql_connect() or die(mysql_error()); The passwords etc will only be picked up by scripts running in the named directory (or a sub-directory). The same may be done for virtualhosts etc. If you don't want to keep reloading your Apache server then you ay test things putting the php_value directives into a (world readable) .htaccess file. (Clearly not for production use.) If you need to debug the values that are being supplied (or not) then use this snippet: @syslog(LOG_DEBUG, "Using user=".ini_get("mysql.default_user"). " pass=".ini_get("mysql.default_password"). " host=".ini_get("mysql.default_host")); (This assumes that you are not running in 'safe_mode' and that you are on a unix of some sort.) ------------------------------------------------------------ I can't think of why this wouldn't work, and it seems much more secure than just putting the PHP script with the passwords outside the web root. Has anyone done this? Any thoughts on how someone could still get the passwords with this setup? Thanks, Peter Janett New Media One Web Services, LLC http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 -----Original Message----- From: Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 30, 2003 8:34 AM To: Jaap van Ganswijk; [EMAIL PROTECTED] Subject: Re: [PHP] web site security: how to hide login info for mysql-connection How do you handle storing the login info then? Do you encrypt the file and decrypt it on the fly? Where would you store the key? I'm in the process of setting up a new application, and I've always used the "login info outside the webroot" method but if there's something more I can do, I'd like to know... --- Jaap van Ganswijk <[EMAIL PROTECTED]> wrote: > At 2003-06-29 17:21 +0100, Avvio - Frank wrote: > >basically you need to append to your include_path and you can > probably > >create a local .htaccess file and set an include path in there > (look up > >php_value syntax for .htaccess) > > > >otherwise start your script with a customised version of the > following: > > > >ini_set("include_path",ini_get("include_path").":". > "/your/path/here/"); > > > >then include/require as normal > > I think you can also use an include statement > like this: > include "../../php/include/file.inc"; > > The same mechanism can also be used for data > files that also shouldn't be in the WWW accessible > directory tree, I think. (But I'm not an expert.) > > I always try to write my programs very portable > and I have found that using "../application_data/file.txt" > isn't a problem, but using "../../xxx/application_data/file.txt" > is usually a problem, because you don't want to > hardcode the name of the directory above the current > directory (in this case 'xxx'). Sometimes however > you have to go two levels up to go out of the > WWW-acessable directory three. > > By the way, I think it's unwise to keep the MySQL > login data uncoded on the Unix system, because > other users or the system managers could read it. > Generally these files have to be readable by Apache > and therefore other users on the system can often > also read them. > > Greetings, > Jaap > > > >----- Original Message ----- > >From: "anders thoresson" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Sunday, June 29, 2003 4:33 PM > >Subject: Re: [PHP] web site security: how to hide login info for > >mysql-connection > > > > > >> > Be aware that wherever you store the settings folder, your > php.ini > >should > >> > have that path in it's include_directories setting, and the > webserver > >> > must > >> > have read permissions for that file. > >> > >> I don't have access to php.ini on my ISP's web server. Is there > a way for > >> a user to make their own set ow include_directories? > >> > >> -- > >> anders thoresson > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > >> > > > > > > > >-- > >PHP General Mailing List (http://www.php.net/) > >To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > ===== Mark Weinstock [EMAIL PROTECTED] *************************************** You can't demand something as a "right" unless you are willing to fight to death to defend everyone else's right to the same thing. *************************************** __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
