On Monday 08 November 2004 14:40, you wrote: > Don Calfa wrote: > > Vaughn Treude wrote: > >> Hello all: > >> I know there are a lot of PHP gurus on this list, so hopefully it's > >> not too off-topic. > >> I'm a newbie to PHP and I'm struggling with a login script for my > >> organization's website. I'm using an example script I got off the > >> Web somewhere. It uses MySQL through the "PEAR" database driver. > >> Here's the code snippet for the connection code in db_connect.php: > >> > >> --------------------------- > >> > >> //require the PEAR::DB classes. > >> > >> require_once 'DB.php'; > >> > >> > >> $db_engine = 'mysql'; > >> $db_user = 'XXXX'; > >> $db_pass = 'YYYYYYYY'; > >> $db_host = 'ieeepacn.com'; > >> $db_name = 'ZZZZZZZ'; > >> > >> $datasource = $db_engine.'://'. > >> $db_user.':'. > >> $db_pass.'@'. > >> $db_host.'/'. > >> $db_name; > >> > >> > >> $db_object = DB::connect($datasource, TRUE); > >> > >> ------------------------ > >> > >> This works, but it occurs to me: how can this thing possibly be > >> secure? The password's there in clear text. A person would only > >> need read access to get it. And if the PHP file's not globally > >> readable, the login fails. Is there some factor here I'm missing > >> such that it's more protected than I think? Or is there a better way > >> to approach this? > >> > >> Thanks! > >> Vaughn > > > > 1. If the webserver parses PHP not as text, no one will be able to > > read the contents of the file from the browser. > > 2. You can create a user for MySQL that only has rights to the DB and > > not login to the server. > > 3. You can split the variables from the connection string into 2 files. > > 4. You can encrypt the variables (Like $db_pass = "cGFzc3dvcmQ="; in > > 1 file and in another file $db_engine = > > {...base64_decode($db_pass)...;}. (there are tons of ways to do this) > > 5. You can obfuscate the entire script (from: > > http://richard.fairthorne.is-a-geek.com/utils_obfuscate.php): > > > > > VY9NDoIwEEbXkHCHWZBUE1P2+IMheAGjibohpUwE > > Iy1QWHh7GaARv676pjPzGh1abPqyxVQricCSmNdF > > zbaeS8fPsxTVs1QIe2DVxzRvKhHuDbYEb0Msq4Ux > > xO5zLC+06YiXiFgLqbjUla0pUY3DH1OmzX4uOmF0 > > 30qq/Sw4C4OAcc91HAfAagz0j5EGZ8eJwQzJgbOp > > GcA+pe2Lv+rshZJUkzgMpVZquK0WMhu4nK+n9dix > > i74= > > '))); ?> > > > > I use #2 and #3 and make sure only that permission is available from > > localhost for production. I sometimes use #5 in situations that I > > need to protect myself (the tinkerer that messes with the code then > > suddenly calls 'Hey, this doesn't work!'). > > > > If anyone wants access to the DB, they'll get it. You just have to > > make it not easy. > > > > > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change you mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > That is a great tip, thanks! > > JD Yes, thanks to Don and everyone else who replied. I think I have some good places to start. I'm still out of my element here, so I needed it. Right now everything I do breaks something, but I'm starting to understand it, slowly but surely. :-) Vaughn --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss