|
|
Posted by J.O. Aho on 08/19/06 09:27
nobody@thisaddress.net wrote:
> Hello,
>
> Im new to PHP and MySQL and decided to write my first PHP script that
> will take an email address from a form (newsletter sign up) and store it
> in a MySQL database.
>
> From my initial learnings on PHP, I must first connect to the database:
>
> $connect = mysql_connect("localhost","username","password");
This works fine as long as the webserver works and lets the PHP to process the
code, then no one will not see the login and password.
The problem is if the webserver gets trouble and PHP don't work, then the code
is sent in clear text and people can see your login and password.
Another thing that can make troubles are backup files, specially if you use
your IDE/Text editor directly in the "home page directory tree", as those
files won't be processed by PHP, example emacs saves a backup called *.php~
and as the filename don't end *.php, the file will not be in default settings
be processed and will be sent in clear text.
As David Quinton already written, it's good to place things like this in a
include file that is outside the "home page directory tree", this way even if
the PHP would not work for some reason, no one outside the system can access
the login password.
If you can't use a directory outside the "home page directory tree", then
hopefully the webserver is apache and you can use .htaccess to restrict access
to directories, then deny all access to the directory where you store the
include file, the webserver will still be able to read the file. For security
reasons, let include files always end with .php, this way you will be sure if
PHP works then the file will be processed and your password/login won't be
sent in clear text, if someone would be able to access the file via the webserver.
> Is the above line of code a security risk to hackers and spammers? I
> know PHP is executed on the server side, but I feel having a file
> sitting on the server(http) with this sensitive info is vulnerable.
If you follow the recommendations you got, the only problem will be users that
already have access on the webserver, if it's a microsoft server there aren't
much you can do, on an unix based server you can set the group to apache (or
as what the webserver is run) and then give chmod 740, this prevents the
others to read the file (normal users shouldn't be part of the apache group,
or else the system is badly setup), the apache server can read the file and
you can do what ever you want with it.
> Is there nothing to worry about or should I be aware of additional
> security measures? Thank you in advance for your time and words.
Most additional things are concerns of the webserver administrator and you
don't have much you can do about those, if you aren't the admin yourself, then
see to have the latest stable webserver installed and keep other packages
upgraded.
//Aho
Navigation:
[Reply to this message]
|