The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Programming Languages
> PHP Development
|
PHP and Security??
Discuss PHP and Security?? in the PHP Development forum on Dev Shed.
PHP and Security?? PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
February 29th, 2000, 03:31 AM
|
|
Junior Member
|
|
Join Date: Feb 2000
Posts: 16
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
I am very new with php and web content in general, and my concern is with my novice ability leaving huge secuirty holes for any joker to have there way with.
Here is my current thought.
If I have a php script in a public html fodler named index.php3 how secure is this if at all.
Say I have a line like:
MySql_pconnect("host","account","passowrd");
How easy is it for people to get the host,account,password.
Any info would be greate, and if this is a huge security violation what would be a better approach.
Thanks.
|
February 29th, 2000, 05:32 AM
|
|
Contributing User
|
|
Join Date: Oct 1999
Location: Helden,Limburg,The Netherlands
Posts: 33
Time spent in forums: < 1 sec
Reputation Power: 14
|
|
|
The security issue depends in a way on the rights the specific account, used in your code, has. If this account has all the rights to for instance delete, create and update fields and even tables the security issue is greater than when the rights are only confined to using select statements.
Most important, however, is the way the rest of the PHP-page is written. In general if the PHP-page is written safely (so for instance no possibility to upload files, without any check, or to give commands to the php-parser) the security is only dependent on the safety of the web server.
This is what I know through my knowledge of the different languages, but since I do not have any formal education or experience in security issues, so if some pieces of this story are not 100% correct feel free to correct me.
------------------
Ramon Litjens
Boradoli Web Design
(www.boradoli.nl)
|
February 29th, 2000, 08:02 AM
|
|
Contributing User
|
|
Join Date: Oct 1999
Location: Annapolis, Maryland US
Posts: 113
Time spent in forums: < 1 sec
Reputation Power: 14
|
|
|
Ramon is on target with security being a function of good, solid PHP coding and nailing down directory permissions but if you're concerned about the public HTML directory being compromised, you can make an include directory above document root which contains any info (usernames, passwords) and functions you would rather not have below document root.
Say your document root is '/www/domain/HTML/'
Then in '/www/domain/include' you can store your sensitive information in a file called access.inc or similar...
$hostname="localhost";
$username="myuser";
$password="mypass";
Then in your HTML document you could have something like...
include "/net/domain/include/access.inc";
then connect to MySQL using the variables from access.inc
$link=mysql_connect($hostname, $username, $password);
Good Luck,
Kyuzo
|
February 29th, 2000, 09:40 AM
|
|
Junior Member
|
|
Join Date: Feb 2000
Posts: 16
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
Thanks,
I think think the idea to put the login data into an external include file above the base directory is good and will work for me.
At least with my limited security knowledge it seems more secure.
Thanks for the help.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
