Re: How to conceal userid/passwords in php classes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Sep 16, 2008 at 07:06:10PM -0700, Don Russell wrote:
> 
>    I have some php classes I use for accessing mySQL databases on
>    localhost.
>    Somewhere in there, I have the mySQL userid/password so the php script
>    can access the data.
>    What is the normal practice for concealing that type of information?
>    Keeping classes in /usr/share/php seems to imply they need to be "world
>    readable", especially if they are going to be used by CLI scripts as
>    well as web page scripts.
>    This is on my home machine, it's not like I'm trying to protect a
>    million credit card numbers or anything like that. But, I am interested
>    in being "security aware"...
>    Thanks for any tips/pointers.


If you want to get it close to right to look at what the ssh and sshd folk do.

In general the last thing you want to do is add pass words to your php.

Next to last but better is placing them in a file that has read
permissions by only 'you' but not by apache or any process that might
be hacked.  Better to have the mySQL data base info and pass words in a
startup config file establish a connection to the data base then having
read those bits do a setuid/setgid transition to a safe account that cannot
read or write them.   One advantage of using files is that  the same
code can be reused say in the case of multiple hosted customers.

Better yet is to have the application prompt for the keys one time...
The user can then use a small handful of tricks to mouse cut and paste
them on to the prompt including a good personal memory.   One trick is to have
encripted keys on a USB key that can be removed.   See also something like 
password safe.

   http://www.schneier.com/blog/archives/2005/06/password_safe.html

Do a bit of homework and isolate any authentication stuff in
your code to a single file so you can fix it and audit it.  php
has a bad track record...  use caution.  Some of the public examples 
in the early days of php are badly flawed.   Webalizer is one historic
bad example to search the web and change logs.


-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux