Posted by J.O. Aho on 06/03/07 17:09

sundby wrote:
> On May 27, 11:15 am, "_mario.lat" <n...@libero.it> wrote:
>> hallo,
>> I use PHP and I'd like to not write in hardcoded way password
>> and login to access to mysql.
>> how to not write password in code for access to mysql?
>> How can I do?
>> I'd like that who see my code don't see my paswords.
>> there is a solution?
>> Thank you in advance.
>> Mario.
>
>
> What is this groups overall view on setting up .htaccess with
> something like:
> php_value auto_prepend_file /path/to/password/file.php
>
> Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it
> yet, though if it never "screws up" I'm inclined to think it is more
> secure since the path is hidden even when they can see your scripts.

I don't think that will do any change in the security of the password and
login to the sql server, in most cases if a user is able to read the php code,
then they are on the local machine and would as likely be able to read the
..htaccess file and see where the password and login has been stored.
You really get more protection just by setting the right privileges on the
file where the password and login has been stored, just set the file to belong
to the user and the group that the web server is run as (usually
username:apache) and then see to that the file is readable by the web server
(set g+r) and that everyone else don't have any privileges at all (set o-rwx)
and now there is just three users who can read the password/login and it's the
user itself, the web server and root (without SELinux like rules, nothing can
stop root).
Keeping the file outside the "web root" will make that the file won't be
directly accessible by web visitors, this way disabling .htaccess feature in
apache or misconfiguration of the php module won't make the login/password
readable (of course if the user uses something as IIS, then it's possible to
access files outside the "web root", but no sane person would use IIS).


--

//Aho

[Back to original message]