#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    3
    Rep Power
    0
    My web hosting tech support are not understanding my problem. Basically my
    PHP scripts query my DB. To do so, I have to put my DB password directly into my .php3 files. From the MySQL manual, I should be able to keep a .my.cnf file in my home dir (-rw-------) which will be consulted instead
    of keeping passwords in scripts.

    When I ask tech support why my .cnf file is not consulted, they reply with:

    > our version of mysql is
    > mysql Ver 9.38 Distrib 3.22.30
    > this version doesnt have the
    > grant_priv field in the user
    > table of the mysql database
    > (the main mysql config db)
    > thus we cant give you grant
    > capabilities, further the
    > .my.cnf requires the file_prv
    > to be defaulted to yes, the
    > head sys admin told me to make
    > these config to no , thus a
    > priv overwrite using a .cnf
    > file is not possible.


    Can anyone verify this as a legit 'excuse' or
    provide me an alternative to having my DB password in a PHP script? Needless to say I'm not thrilled to have passwords in scripts as there must be a way users could retrieve them and view (though I tried using 'wget' on one of my scripts and it did not reveal my PHP code verbatim). At a minimum, another user on my hosting machine would have the ability to view my PHP scripts and thus could drop my DB.

    Please offer some advice I can tell the
    not-so-great tech support. Thanks!!

    --Greg
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 1999
    Location
    Annapolis, Maryland US
    Posts
    113
    Rep Power
    16
    Try keeping your sensitive stuff in an "include" directory above document root. If your site is located at /www/users/yoursite/HTML then make the directory /www/users/yoursite/include and add a text file called db.inc or similar. db.inc might look like...
    <?
    $hostname="localhost";
    $username="user";
    $password="pass";
    $dbName="database_name";

    function LinkUp($hostname, $username, $password)
    {
    $mysql_link=mysql_connect($hostname, $username, $password);
    return $mysql_link;
    }
    ?>

    Then in your PHP script,use
    <?
    include "/www/users/yoursite/include/db.inc";
    $link=LinkUp($hostname, $username, $password);
    mysql_select_db($dbName);

    //query away...

    ?>

    Hope this helps
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    3
    Rep Power
    0
    Kyuzo,
    and what file permissions would I want to give this 'include' file? I just created a test file and gave it 644 permissions and when I pull the file remotely using 'wget', I can view the password and everything. This is worse than putting the password in the script the original way because at least PHP does some sort of processing to hide some of its raw code.

    Any other thoughts?

    --Greg
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    6
    Rep Power
    0
    Just use a file that ends in ".php3" so that it gets interpreted by the mod_php before geting sent to the browser. That should result in a blank page being returned if someone tries to read your include file...


    ------------------
    -Erik

    [This message has been edited by Erik Lindsley (edited March 24, 2000).]
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    3
    Rep Power
    0
    Erik,

    that _does_ solve the problem with wget returning something useful but does not solve the other issue that other users of my machine can view this included .php3 file. Therefore the real people I am attempting to thwart can still drop my DB since they can plainly view my passwd. I really need a solution that works with the intended .my.cnf configuration file (just as the folks who wrote MySQL suggest). Perhaps I need to spend more time learning about this "file_prv" variable that my hosting company has set to No when I believe it is intended to be Yes.

    Any admins out there know why a company would reset this var to No? Any good security reasons? - seems it actually defeats the purpose of (user) security not improve.

    --Greg
  10. #6
  11. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    62
    The contents of your include file do not need to be world-readable to include into a document presented to the browser. As long as the PHP process can read the include file, you can keep the permissions to a minimum. If other users on the system can still view this document, there is something wrong with that system. And if this is a standard Unix setup, you should have a directory below your HTML documents directory where you can place this file, where http users (or wget) could never download it from the web.

Similar Threads

  1. smarty renders blank page
    By eemo in forum PHP Development
    Replies: 3
    Last Post: January 19th, 2004, 05:54 AM
  2. Cronjob madness
    By eliteboo in forum Linux Help
    Replies: 10
    Last Post: July 14th, 2003, 11:49 AM
  3. How can a dummy get started with APACHE, PHP and MySQL?
    By TotalBeginner in forum Beginner Programming
    Replies: 4
    Last Post: October 20th, 2002, 04:03 PM
  4. PHP and MySQL on Apache Liux/Win 98
    By vu3prx in forum Apache Development
    Replies: 2
    Last Post: October 31st, 2001, 10:59 AM
  5. Connecting PHP to mysql on Windows
    By munisp in forum PHP Development
    Replies: 2
    Last Post: April 27th, 2000, 06:47 PM

IMN logo majestic logo threadwatch logo seochat tools logo