Re: dumb PHP question

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MDon Calfa at <-
MVaughn Treude at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: JD Austin
Date:  
To: plug-discuss
Subject: Re: dumb PHP question
Don Calfa wrote:

> Vaughn Treude wrote:
>
>> Hello all:
>> I know there are a lot of PHP gurus on this list, so hopefully it's
>> not too off-topic.
>> I'm a newbie to PHP and I'm struggling with a login script for my
>> organization's website. I'm using an example script I got off the
>> Web somewhere. It uses MySQL through the "PEAR" database driver.
>> Here's the code snippet for the connection code in db_connect.php:
>>
>> ---------------------------
>>
>> //require the PEAR::DB classes.
>>
>> require_once 'DB.php';
>>
>>
>> $db_engine = 'mysql';
>> $db_user = 'XXXX';
>> $db_pass = 'YYYYYYYY';
>> $db_host = 'ieeepacn.com';
>> $db_name = 'ZZZZZZZ';
>>
>> $datasource = $db_engine.'://'.
>>               $db_user.':'.
>>               $db_pass.'@'.
>>                $db_host.'/'.
>>                 $db_name;

>>
>>
>> $db_object = DB::connect($datasource, TRUE);
>>
>> ------------------------
>>
>> This works, but it occurs to me: how can this thing possibly be
>> secure? The password's there in clear text. A person would only
>> need read access to get it. And if the PHP file's not globally
>> readable, the login fails. Is there some factor here I'm missing
>> such that it's more protected than I think? Or is there a better way
>> to approach this?
>>
>> Thanks!
>> Vaughn
>>
>>
>>
> 1. If the webserver parses PHP not as text, no one will be able to
> read the contents of the file from the browser.
> 2. You can create a user for MySQL that only has rights to the DB and
> not login to the server.
> 3. You can split the variables from the connection string into 2 files.
> 4. You can encrypt the variables (Like $db_pass = "cGFzc3dvcmQ="; in
> 1 file and in another file $db_engine =
> {...base64_decode($db_pass)...;}. (there are tons of ways to do this)
> 5. You can obfuscate the entire script (from:
> http://richard.fairthorne.is-a-geek.com/utils_obfuscate.php):
>
> <? eval(gzinflate(base64_decode('
> VY9NDoIwEEbXkHCHWZBUE1P2+IMheAGjibohpUwE
> Iy1QWHh7GaARv676pjPzGh1abPqyxVQricCSmNdF
> zbaeS8fPsxTVs1QIe2DVxzRvKhHuDbYEb0Msq4Ux
> xO5zLC+06YiXiFgLqbjUla0pUY3DH1OmzX4uOmF0
> 30qq/Sw4C4OAcc91HAfAagz0j5EGZ8eJwQzJgbOp
> GcA+pe2Lv+rshZJUkzgMpVZquK0WMhu4nK+n9dix
> i74=
> '))); ?>
>
> I use #2 and #3 and make sure only that permission is available from
> localhost for production. I sometimes use #5 in situations that I
> need to protect myself (the tinkerer that messes with the code then
> suddenly calls 'Hey, this doesn't work!').
>
> If anyone wants access to the DB, they'll get it. You just have to
> make it not easy.
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

That is a great tip, thanks!

JD

--
JD Austin
Twin Geckos Technology Services LLC
email:
http://www.twingeckos.com
phone/fax: 480.344.2640

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: dumb PHP questionRe: Bad Spot on Disk->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)