pchip

Hey everyone,

????: NamePros.com http://www.namepros.com/programming/438492-mysql-php-where-store-username-password.html
I've been doing some research and haven't been able to come up with a solid plan. I'm hoping that someone can point me in the right direction.

Here's the plan. I'm using the shared godaddy hosting plan with plans to upgrade to hostgator shared hosting at some point. I'm using php to connect to a simple mysql database. I'm a bit confused as to where to store the username/password to access this database. I've read a few documents but i'm not sure what I should and can do. It seems that you don't want to put it in the php code just in case someone gets access to these files. I read that you could but it in a file outside of the root url folder, though i'm not sure I have access to anything like this. Also maybe using environment variables.

Thanks for the help!

pc

Barrucadu

Just put it in the PHP files. The only way someone can get the password then is if they gain FTP access to your server.

__________________
Website | Blog

Arch Hurd developer; GNU Webmaster; FSF member #8385

Palyriot

Usually if they get the login information to your ftp, then they also have it for your cpanel/MySQL, so it doesn't really make a difference. Just make sure you don't distribute your files.

pchip

Thanks for the replys! I thought that if the server had a problem parsing the .php file that it would expose my username/password. Is there any better why to do this on shared hosting or is each why just as good as the next?

Thanks!

pc

Dotmainer

I think thats not fine, if php-parser for some reason dont parse files,
????: NamePros.com http://www.namepros.com/showthread.php?t=438492
all users will see that (it never happend to me, but heard about that).

Best is outside of the root url folder, but if you dont have access to that i think other folder with .htaccess protection so only localhost can access it.

__________________
█
█
█

monaco

You should set up your database with generated passwords that are easy to change. I generally just include() a php.inc file outside of the http root with the db username and password stored in it for all my stuff. If the password is *somehow* compromised, it's easy to change.

Also, set up your mysql account to be @localhost not @'%' so even if the password IS compromised somehow, unless they're being hosted on your box too, they can't mess with it.

Edit: I forgot to add, when I was writing some tools/admin code before, I needed higher security, so I created a form on the login page for my admin section that would hash a string and use that as the db password. I thought it was pretty ingenious.

__________________
My Website | My Blog

pchip

Is it possible to put a file outside of http root if it's shared hosting? If godaddy shared hosting doesn't let me, would hostgator shared hosting be any different?

Thanks!

pc

Dotmainer

It depends on structure, some shared allow and some not.
But i think maybe someone who have hosting on GoDaddy/Hostgator can answer that better.


-

__________________
█
█
█

pchip

I'm looking at it seems that the .htaccess file is my best bet for restricting a file that contains my username/password. I'm playing around with it now, but it takes a bit to see if it works since the server doesn't pickup right away - I think anyway.

Thanks!

pc

Here's what i'm trying right now...

I created a folder in the root url (since I don't have access to anything else). Let's say the folder is temp. I'm going to place a file in here, maybe temp.inc or something like this. I dropped the following .htaccess file in the folder...

<Files .inc>
order deny,allow
deny from all
</Files>

This sounded like it would deny anyone access to it but I could use the php includes command to get the contents. I'm not sure if this will work or if i'm heading in the right direction.

Thanks for the help!
????: NamePros.com http://www.namepros.com/showthread.php?t=438492

pc

monaco

Why would this be a problem on shared hosting? I don't know how GoDaddy does it, but with cPanel hosting (which hostgator is) you get a home directory on a linux system, and ~/public_html is your web root. You could create ~/web-private/blahblah/sqlinfo.php and the httpd would not serve it as a page, but include() and require() could still get to it.

__________________
My Website | My Blog

pchip

I had to change the .htaccess a little. Here's what I have now...

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

Now, if you try to access any .inc file in that folder, it will show a page not found! What do you guys think? Is this everything I need.

Thanks for the help!

pc

I guess when I log in via ftp all I see is '/' as my root directory. I can't go back and create any direct before this. I would think any folder in this root would be accessed by the web. Am I missing something?

monaco

I understand now...guess ya get what you pay for with GoDaddy. I would never go with a host that doesn't let you store things outside of the http root
????: NamePros.com http://www.namepros.com/showthread.php?t=438492

HostGator will let you do this the right way.

__________________
My Website | My Blog

pchip

Yeah, I'm just using the hosting with godaddy while I do my testing since it's free. So, that's nice to know once I switch over to hostgator i'll be able to do this a different way. I like the idea of putting the file into a sep directory like you mentioned without having to use the .htaccess file. This sounds the most secure.
????: NamePros.com http://www.namepros.com/showthread.php?t=438492

Any other ideas or opinions are more than welcome!

Thanks for the help everyone! Reps added.

pc

Palyriot

Why does it even matter? If you include something, it's the exact same thing as running the function in the main script. It will still show the same error, just with a different file name and line number. If you want the errors suppressed, put an @ in front of mysql_connect or an error_reporting(0); at the start of the file. Besides, all errors should be suppressed on your main server anyways. Any kind of error can give someone a ton of details on how to mess your server up. Also, when a mysql_connect encounters an error, it doesn't tell anyone your password, it just says using password 'YES' or something along those lines. It will show your username though. 'username@localhost'.

Derek

Even if it's outside of the root folder, when the file is included and ran, it will still show the exact same errors.

pchip

I'm trying to prevent my username/password from being exposed on my .php page because the server didn't parse the page as a php page. It's probably rare but can happen. It seems that if you hide the file outside the root folder then they can't access it via the web and if your page fails to load then there's nothing on the .php page except an includes command for this file (instead of your username/password).

pc

Palyriot

If it's in <?php ?> tags anyways, they can't access it from the web. Also, if you put a @ in front of the command, they'll never see the function even ran, even if it causes an error. Also with the error_reporting(0); command, no error will ever be exposed on the page with that command. Even if the command does get an error and it's being included from outside the root folder, the error will still show the password. Include looks the exact same for the end user, just organizes the code a little bit.

monaco

Not necessarily. If the mime association gets broken on the server, or the server can't find the php module or can't load it, it will just send the contents of the page to the browser or give a 500 error, configuration-dependent of course.
????: NamePros.com http://www.namepros.com/showthread.php?t=438492

Putting the password page outside the web root would give less info away should this happen.

__________________
My Website | My Blog

wikes82

put them in php file, and if you really don't anyone to see your codes / password.
Use product like Zend Guard - http://www.zend.com/en/products/guard/
to encrypt your PHP files.

__________________

LogicBoxes/Directi/Resell.biz Domain Catcher for Windows,Linux,Mac OSX

monaco

Eh, that requires server side stuff that not all hosts have...I tend to stay away from products like that.

__________________
My Website | My Blog

Palyriot

Good point on that one.