#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Posts
    16
    Rep Power
    0
    I am very new with php and web content in general, and my concern is with my novice ability leaving huge secuirty holes for any joker to have there way with.

    Here is my current thought.

    If I have a php script in a public html fodler named index.php3 how secure is this if at all.

    Say I have a line like:
    MySql_pconnect("host","account","passowrd");

    How easy is it for people to get the host,account,password.

    Any info would be greate, and if this is a huge security violation what would be a better approach.

    Thanks.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 1999
    Location
    Helden,Limburg,The Netherlands
    Posts
    33
    Rep Power
    16
    The security issue depends in a way on the rights the specific account, used in your code, has. If this account has all the rights to for instance delete, create and update fields and even tables the security issue is greater than when the rights are only confined to using select statements.

    Most important, however, is the way the rest of the PHP-page is written. In general if the PHP-page is written safely (so for instance no possibility to upload files, without any check, or to give commands to the php-parser) the security is only dependent on the safety of the web server.

    This is what I know through my knowledge of the different languages, but since I do not have any formal education or experience in security issues, so if some pieces of this story are not 100% correct feel free to correct me.

    ------------------
    Ramon Litjens
    Boradoli Web Design
    (www.boradoli.nl)
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 1999
    Location
    Annapolis, Maryland US
    Posts
    113
    Rep Power
    16
    Ramon is on target with security being a function of good, solid PHP coding and nailing down directory permissions but if you're concerned about the public HTML directory being compromised, you can make an include directory above document root which contains any info (usernames, passwords) and functions you would rather not have below document root.

    Say your document root is '/www/domain/HTML/'

    Then in '/www/domain/include' you can store your sensitive information in a file called access.inc or similar...
    $hostname="localhost";
    $username="myuser";
    $password="mypass";

    Then in your HTML document you could have something like...
    include "/net/domain/include/access.inc";

    then connect to MySQL using the variables from access.inc
    $link=mysql_connect($hostname, $username, $password);

    Good Luck,

    Kyuzo
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Posts
    16
    Rep Power
    0
    Thanks,

    I think think the idea to put the login data into an external include file above the base directory is good and will work for me.

    At least with my limited security knowledge it seems more secure.

    Thanks for the help.

Similar Threads

  1. php sessions and security problems.
    By mochico in forum PHP Development
    Replies: 7
    Last Post: February 18th, 2004, 03:51 PM
  2. Replies: 8
    Last Post: February 6th, 2004, 02:41 PM
  3. Replies: 4
    Last Post: January 28th, 2004, 08:29 AM
  4. PHP Form Mail security implications?
    By virtualdub in forum PHP Development
    Replies: 4
    Last Post: January 12th, 2004, 01:50 PM
  5. PHP error!
    By tonytd in forum PHP Development
    Replies: 1
    Last Post: January 11th, 2004, 01:13 AM

IMN logo majestic logo threadwatch logo seochat tools logo