On Aug 19, 2011, at 7:52 PM, DealTek wrote:
Hello,
NEWBIE: I have a security question:
When working with PHP and MySQL, it seems that a one method is to
create a connection.php page to the database that will store the
connection parameters such as username, password and URL ip in clear
text and include this on various pages.
Since hackers seem to be getting better and better every day:
- Is this common practice to store this security data in the clear
on the PHP webpage?
- Wouldn't it be possible for a hacker to SNIFF around and pick up
this sensitive "clear text" security data?
- Is there some better, more secure way to communicate from the
website to the MySQL data source that is somehow sending encrypted
information rather than clear text back and forth?
Thanks in advance for your help.
If your web server and MySQL server are running on the same host, make
sure your db user only has access via localhost.
If your web server running php is on a different host from your MySQL
server, set the host access for that db user to only allow access from
the web server host. If you are running MySQL 5, you can secure the
connection using SSL to ensure that a sniffer will have a much more
difficult time stealing your credentials. Another way is to set up an
SSH tunnel.
A couple other things:
* generally, it is considered a good practice to store access
credentials used by a php application *outside* the web server's
visibility.
* include the php script in whatever other main scripts your
application has, and make it readable only to the web server user/group.
* if anything else, make sure the file has the extension .php and the
credentials are inside the php code space so it can't be downloaded
directly by a web user.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
