Professional Web Applications Themes

how to not write password in code for using to mysql? - MySQL

hallo, I use PHP and I'd like to not write in hardcoded way password and login to access to mysql. how to not write password in code for access to mysql? How can I do? I'd like that who see my code don't see my paswords. there is a solution? Thank you in advance. Mario....

  1. #1

    Default how to not write password in code for using to mysql?

    hallo,
    I use PHP and I'd like to not write in hardcoded way password
    and login to access to mysql.
    how to not write password in code for access to mysql?
    How can I do?
    I'd like that who see my code don't see my paswords.
    there is a solution?
    Thank you in advance.
    Mario.
    _mario.lat Guest

  2. #2

    Default Re: how to not write password in code for using to mysql?

    _mario.lat wrote: 

    I assume you use a Unix like system for your server.

    I assume you have your PHP scripts in ~/public_html

    Then you can create a directory ~/mypasswords

    Now you can create the following file

    --- ~/mypasswords/mysql.log.data.php ---
    <?PHP
    $mysql_login="loginname";
    $mysql_passw="secretpass";
    $mysql_host="localhost";
    $mysql_database="mydb";
    ?>
    -- eof ---

    Now in your php script that users can surf to

    --- ~/public_html/index.php ---
    <?PHP
    require_once('../mypasswords/mysql.log.data.php');
    mysql_connect($mysql_host, $mysql_login, $mysql_passw);
    mysql_select_db($mysql_database);

    //and so on...
    ?>
    --- eof ---

    Even if there would be a misconfiguration, and the PHP engine would be
    disabled, and the code is displayed in raw, no one will be able to see the
    login/password/host/database in your code, just see to that the user who is
    running the web server has the privileges to read the
    ~/mypasswords/mysql.log.data.php, but don't make the directory publicly
    available on the net (no symlinks to the file or directory in your ~/public_html).

    --

    //Aho
    J.O. Guest

  3. #3

    Default Re: how to not write password in code for using to mysql?

    Ya that was fine what J.O told but rather than creating that file in
    public_html crate a .conf file in /etc. for the first installation
    take the username and password from user and store it in /etc/
    proj_name.conf file and in db.connect.php p it..

    Ravi Guest

  4. #4

    Default Re: how to not write password in code for using to mysql?

    Ravi wrote: 

    Read it again. J.O. did not say to create the file in public_html.

    And most hosting companies do not allow you to write to /etc. You need
    a vps or dedicated server to be able to have write access to that directory.

    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.
    net
    ==================
    Jerry Guest

  5. #5

    Default Re: how to not write password in code for using to mysql?

    >> I use PHP and I'd like to not write in hardcoded way password 
    >
    > Now you can create the following file[/ref]

    Thank you for answering me.
    I'm shure there is a better way with cript:
    DES or SHA, RSA...
    Mario.
    _mario.lat Guest

  6. #6

    Default Re: how to not write password in code for using to mysql?

    _mario.lat kirjoitti: 
    >> Now you can create the following file[/ref]
    >
    > Thank you for answering me.
    > I'm shure there is a better way with cript:
    > DES or SHA, RSA...[/ref]

    Good luck reversing your database password from a one-way hash. :)

    --
    com

    "Wikipedia on vähän niinq internetin raamattu, kukaan ei pohjimmiltaan
    usko siihen ja kukaan ei tiedä mikä pitää paikkansa." -- z00ze
    Rami Guest

  7. #7

    Default Re: how to not write password in code for using to mysql?

    _mario.lat wrote: 
    >> Now you can create the following file[/ref]
    >
    > Thank you for answering me.
    > I'm shure there is a better way with cript:
    > DES or SHA, RSA...[/ref]

    As Elomaa already pointed out, you will have big trouble to decrypt the one
    way hashes. You could use rot13 to encode/decode your passwords, it's not much
    protection, but at the first glance someone may think it's the plain password,
    to the point when they check your script that decodes the password, at which
    point they will see the rot13, but that applies all two way encryption, as you
    need the decoder in your php script, they will be able to decode your encoded
    password without any trouble.

    When you use an Unix like system, you can change the password files privileges
    and that way protect the password from other persons eyes.

    Assuming that your user names is mario and that the apache server is run as
    the user apache, then do a "chown mario:apache -R ~/mypasswords" and then
    "chmod o-rwd -R ~/mypasswords"

    This way only you and the web server can read the file with your password, no
    other user except root will be able to read the file.

    --

    //Aho
    J.O. Guest

  8. #8

    Default Re: how to not write password in code for using to mysql?

    On 27 May, 17:56, "_mario.lat" <it> wrote: [/ref]

    >
    > Thank you for answering me.
    > I'm shure there is a better way with cript:
    > DES or SHA, RSA...
    > Mario.[/ref]


    IF you use a reversible encryption then the problem still remains that
    a password needs to be kept somewhere PHP can read it.

    One place to keep the password off the server is at the client end -
    and you could have have one database password stored encrypted using
    each users password. But you then have the problem of getting the
    users password sent securely to the application (not to mention non-
    authenticated access).

    Jerry Stuckle rightly said: 

    But most do block HTTP access to files beginning with .ht - but these
    can be read locally.

    So if you can't work with files outside your web root, you can get the
    same effect by putting your password in .htppasswd.inc.php and
    including that. Although honestly it's not a big gain over including a
    php file which is directly addressable and pd as a php file.

    At the end of the day there's no simple solution to ensuring that only
    your approved scripts read from your configuration files to get
    credentials to access other secure resources. base_open_dir goes a
    long way to improving things on a shared server if its done right -
    but it doesn't provide any protection if a malicious user can get
    their own php code executing on your server.

    Suhosin has a lot of interesting bits in in it - like a session
    encryptor, but I think that there is potentially a gap in the
    marketplace for a trusted php platform.

    C.

    C. Guest

  9. #9

    Default Re: how to not write password in code for using to mysql?

    On Sun, 27 May 2007 18:56:11 +0200, in alt.php "_mario.lat"
    <it>
    <it> wrote:
     

    Something that hasn't been discussed is mySQL views.
    If you are running mySQL 5+ then you can create a view.
    ---------------------------------------------------------------
    com.au : Remove your pants to reply
    ---------------------------------------------------------------
    Jeff Guest

  10. #10

    Default Re: how to not write password in code for using to mysql?

    C. wrote: 
    >> Thank you for answering me.
    >> I'm shure there is a better way with cript:
    >> DES or SHA, RSA...
    >> Mario.[/ref]
    >
    >
    > IF you use a reversible encryption then the problem still remains that
    > a password needs to be kept somewhere PHP can read it.
    >
    > One place to keep the password off the server is at the client end -
    > and you could have have one database password stored encrypted using
    > each users password. But you then have the problem of getting the
    > users password sent securely to the application (not to mention non-
    > authenticated access).
    >
    > Jerry Stuckle rightly said: 
    >
    > But most do block HTTP access to files beginning with .ht - but these
    > can be read locally.
    >[/ref]

    They block http access to files beginning with .ht only if your
    httpd.conf and/or .htaccess stop this access. With neither of the
    above, the files can be access.
     

    Most shared hosts give you access to a directory one level below your
    web root. The best place to put the files are in a directory (other
    than your web root) off of here. They will still be accessible via PHP,
    but not from the web.
     

    Nothing works if a malicious user gets his php (or any other language)
    code running on your server. But with proper security, even a shared
    host can prevent others on the same host from executing code in your
    area. At that point the most common problem is caused by insecure
    userid's/passwords used to upload files, access admin areas, etc.
     


    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.
    net
    ==================
    Jerry Guest

  11. #11

    Default Re: how to not write password in code for using to mysql?

    On May 27, 5:56 pm, "_mario.lat" <it> wrote: [/ref]

    >
    > Thank you for answering me.
    > I'm shure there is a better way with cript:
    > DES or SHA, RSA...
    > Mario.[/ref]

    Hello Mario!, i think that maybe you can "confuse" a little the
    malicious user doing the following things:

    1st: as i readed before, encrypt your password at (for example)
    base64:
    $user = "mario";
    $password = "Y0dGemMzZHZjbVE9"; (the word "password" encrypted at
    base64 TWICE, and looks like a plain text passwd)

    then, when you want to decrypt it and use it for loggin at some place
    of your scripts:
    echo base64_decode(base64_decode($password));
    or, to confuse the attaker more, you can do the same
    $pass_decrypted= base64_decode(base64_decode($password)); <--- but
    also encrypted in hex like this..:

    echo
    "&#x62;&#x61;&#x73;&#x65;&#x36;&#x34;&#x5F;&#x64;& #x65;&#x63;&#x6F;&#x64;&#x65;&#x28;&#x62;&#x61;&#x 73;&#x65;&#x36;&#x34;&#x5F;&#x64;&#x65;&#x63;&#x6F ;&#x64;&#x65;&#x28;&#x24;&#x70;&#x61;&#x73;&#x73;& #x77;&#x6F;&#x72;&#x64;&#x29;&#x29;&#x3B;";
    as doing with echo, when executed, the browser prints the result in
    plain text, showing base64_decode(base64_decode($password)), but the
    question it's to save the plain text result, in a variable containing
    your password decrypted...
    I hope this will help you...i just improved this, 'cause i didn't
    have time to explore more this(i have to go to work now :( )
    Success!!! See u! =)

    Keniobats Guest

  12. #12

    Default Re: how to not write password in code for using to mysql?

    On May 28, 3:20 pm, Keniobats <com> wrote: [/ref]
    > [/ref]

    >
    > Hello Mario!, i think that maybe you can "confuse" a little the
    > malicious user doing the following things:
    >
    > 1st: as i readed before, encrypt your password at (for example)
    > base64:
    > $user = "mario";
    > $password = "Y0dGemMzZHZjbVE9"; (the word "password" encrypted at
    > base64 TWICE, and looks like a plain text passwd)
    >
    > then, when you want to decrypt it and use it for loggin at some place
    > of your scripts:
    > echo base64_decode(base64_decode($password));
    > or, to confuse the attaker more, you can do the same
    > $pass_decrypted= base64_decode(base64_decode($password)); <--- but
    > also encrypted in hex like this..:
    >
    > echo
    > "&#x62;&#x61;&#x73;&#x65;&#x36;&#x34;&#x5F;&#x64;& #x65;&#x63;&#x6F;&#x64;&#x65;&#x28;&#x62;&#x61;&#x 73;&#x65;&#x36;&#x34;&#x5F;&#x64;&#x65;&#x63;&#x6F ;&#x64;&#x65;&#x28;&#x24;&#x70;&#x61;&#x73;&#x73;& #x77;&#x6F;&#x72;&#x64;&#x29;&#x29;&#x3B;";
    > as doing with echo, when executed, the browser prints the result in
    > plain text, showing base64_decode(base64_decode($password)), but the
    > question it's to save the plain text result, in a variable containing
    > your password decrypted...
    > I hope this will help you...i just improved this, 'cause i didn't
    > have time to explore more this(i have to go to work now :( )
    > Success!!! See u! =)[/ref]

    sorry, i forgot to put the link i used to convert characters:
    http://people.w3.org/rishida/scripts/uniview/conversion.php

    good luck

    Keniobats Guest

  13. #13

    Default Re: how to not write password in code for using to mysql?

    Keniobats wrote:
     

    If the user can reed that, then they can read this
     

    And know how to decode the password.




    --

    //Aho
    J.O. Guest

  14. #14

    Default Re: how to not write password in code for using to mysql?

    > If the user can reed that, then they can read this

    To me it somehow seems that the original poster is worried about
    someone taking a short look on the code, and being able to read the
    password. I understood that there is no need to be able to permanently
    obfuscate the password for those who have full access to the code.

    If however that is the requirement, you are out of luck. I've never
    used Zend's platform products, but they might have some kind of
    solution to that. Well, I was just thinking about similar behavior to
    Weblogic, where the db passwords are stored and connections created
    via manager-software. Something like this could of course be
    implemented quite straightforwardly as php-extension, but whether that
    would be worth the effort is another issue. So the user doesn't write:
    <code>
    mysql_connect("server", "username", "pass");
    </code>
    But rather:
    <code>
    $MyPlatform::getMysqlConnection("TheConnectionForM ySyStem");
    </code>
    Or whatever.

    --
    Jussi
    Deep abstraction kills strong typing.
    http://disczero.com
    http://view.fi
    http://naamio.net
    http://hoffburger.com


    Jussist Guest

  15. #15

    Default Re: how to not write password in code for using to mysql?

    On May 27, 11:15 am, "_mario.lat" <it> wrote: 


    What is this groups overall view on setting up .htaccess with
    something like:
    php_value auto_prepend_file /path/to/password/file.php

    Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it
    yet, though if it never "s up" I'm inclined to think it is more
    secure since the path is hidden even when they can see your scripts.

    sundby Guest

  16. #16

    Default Re: how to not write password in code for using to mysql?

    sundby wrote: 
    >
    >
    > What is this groups overall view on setting up .htaccess with
    > something like:
    > php_value auto_prepend_file /path/to/password/file.php
    >
    > Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it
    > yet, though if it never "s up" I'm inclined to think it is more
    > secure since the path is hidden even when they can see your scripts.[/ref]

    I don't think that will do any change in the security of the password and
    login to the sql server, in most cases if a user is able to read the php code,
    then they are on the local machine and would as likely be able to read the
    ..htaccess file and see where the password and login has been stored.
    You really get more protection just by setting the right privileges on the
    file where the password and login has been stored, just set the file to belong
    to the user and the group that the web server is run as (usually
    username:apache) and then see to that the file is readable by the web server
    (set g+r) and that everyone else don't have any privileges at all (set o-rwx)
    and now there is just three users who can read the password/login and it's the
    user itself, the web server and root (without SELinux like rules, nothing can
    stop root).
    Keeping the file outside the "web root" will make that the file won't be
    directly accessible by web visitors, this way disabling .htaccess feature in
    apache or misconfiguration of the php module won't make the login/password
    readable (of course if the user uses something as IIS, then it's possible to
    access files outside the "web root", but no sane person would use IIS).


    --

    //Aho
    J.O. Guest

  17. #17

    Default Re: how to not write password in code for using to mysql?

    sundby wrote: 
    >
    >
    > What is this groups overall view on setting up .htaccess with
    > something like:
    > php_value auto_prepend_file /path/to/password/file.php
    >
    > Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it
    > yet, though if it never "s up" I'm inclined to think it is more
    > secure since the path is hidden even when they can see your scripts.
    >[/ref]

    First of all, what good is it going to do you you? If someone can see
    your source code, they can see your .htaccess.

    Second, why auto-include the file where it's not needed (i.e. pages
    where you don't require database access)?

    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.
    net
    ==================
    Jerry Guest

  18. #18

    Default Re: how to not write password in code for using to mysql?

    > What is this groups overall view on setting up .htaccess with 

    Why do so in an .htaccess file? Do so in the main apache config.
    Besides, I do not think there is much security left if people can see
    the source code.
    The best way to "protect" the passwords is to make them useless: block
    any access from non-known machines (by IP address, for instance).

    Best regards,
    --
    Willem Bogaerts

    Application smith
    Kratz B.V.
    http://www.kratz.nl/
    Willem Guest

  19. #19

    Default Re: how to not write password in code for using to mysql?

    On Sun, 27 May 2007 17:15:42 +0800, mario.lat wrote
    (in article <it>):
     


    well mario , if you understood php , you would understand the answer to your
    question.

    and don't cross post numb nuts


    steve Guest

  20. #20

    Default Re: how to not write password in code for using to mysql?

    steve wrote: 
    >
    >
    > well mario , if you understood php , you would understand the answer to your
    > question.
    >
    > and don't cross post numb nuts
    >
    >[/ref]

    I think your response was completely uncalled for. If you *really*
    understood PHP and web servers, you would understand things *can go
    wrong* - and mario's concern is well founded.

    And you'd also understand that cross-posting is much preferred to
    multi-posting, numb nuts.

    --
    ==================
    Remove the "x" from my email address
    Jerry Stuckle
    JDS Computer Training Corp.
    net
    ==================
    Jerry Guest

Page 1 of 2 12 LastLast

Similar Threads

  1. A better way to write this code
    By kenji776 in forum Coldfusion - Advanced Techniques
    Replies: 13
    Last Post: August 11th, 05:08 PM
  2. Dynamic login code vs. mysql password()
    By graytop in forum Dreamweaver AppDev
    Replies: 4
    Last Post: June 21st, 03:25 AM
  3. Write code
    By spiazzi in forum Macromedia Flash
    Replies: 1
    Last Post: January 18th, 10:56 PM
  4. how and where write code
    By spiazzi in forum Macromedia Flash
    Replies: 1
    Last Post: January 6th, 06:56 AM
  5. Checking password with mysql & PASSWORD()
    By John Victor in forum PHP Development
    Replies: 10
    Last Post: August 24th, 06:56 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139