Web Analytics Made Easy -
StatCounter Including passwords in scripts - CodingForum

Announcement

Collapse
No announcement yet.

Including passwords in scripts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Including passwords in scripts

    Greetings,

    Lets say I have a PHP script that connects to a MySQL database. This particular script creates tables, deletes tables, inserts rows, etc. In order for this operation to be successfull, a username and password needs to be supplied in the script - in plain text. *gets really nervous*

    You probably see my question coming:
    How do I protect the usernames and passwords I include in my scripts? Is some type of encryption function available? Is there a different place where these credentials can be placed and yet still be referenced in the scripts.

    Thank you for your time,

    *Nick*

  • #2
    this question was answered not long ago, but here goes again...
    any text written in php tage cannot be seen in source view, the only way it will be able to be seen is if someone has access to your ftp who shouldnt have

    PHP Code:
    <?php
    $username 
    "usrname"
    $pass "pass";  
    $host "localhost"
    //safe from people viewing the php file as a webpage or when they try saving the file

    ?>
    hope this helps, if not reply and ill try explain a little clearer

    Comment


    • #3
      here is an example i made for you
      http://jay.stuff4yoursite.org/cantseephp.txt
      http://jay.stuff4yoursite.org/cantseephp.php
      both files contain the same data, one is being parsed as a php file, which will hide the stuff in the <?php ?> tags

      ....
      dont forget the reputation button

      Comment


      • #4
        don't pass any of that information at all in your script. have a connection file that contains that connection info and save it in a directory outside your www directory. then include that file.

        I have a separate file named data.php outside my www directory it merely contains the following:

        PHP Code:
        <?php
            $username
        ='davemysql';
            
        $password='xxxxxxx';
            
        $servername='localhost';
            
        $db ='sports';
        ?>
        Then within my script I need to use to connect to that database I call that file like this:

        PHP Code:
        require_once($_SERVER['DOCUMENT_ROOT'].'/data/data.php'); 
        then there is no chance that the file contents including the login name and password get compromised unless someone gains full access to the server.

        Then further down I pass the information to my connection like so:
        PHP Code:
        $conn mysql_pconnect $servername$username$password); 

        Comment


        • #5
          Hi guelphdad, why should you not pass any connection usernames/passwords/hosts inyour php scripts? I see many people with it in there scripts

          Comment


          • #6
            In theory trying to view the script with the database info should only result in the results being sent to the client and not the raw source, but of course you can never be too careful. If possible, put the php file with the connection variables somewhere outside the directory that is web-accessible.

            Something I've done in a lot of code I've written is have a file called db.php or similar, which contains the database password and whatnot along with a die() statement, like this:

            PHP Code:
            if (!defined ('IN_APP'))
            {
                die ();
            }

            define ("DB_USERNAME"'foo');
            define ("DB_PASSWORD"'bar');
            // etc etc etc 
            and then on any page that needs to access the database:

            PHP Code:
            define ("IN_APP"true);

            require (
            'path/to/db.php');

            if (
            $sqlhandle mysql_connect ('localhost'DB_USERNAMEDB_PASSWORD))
            {
                
            // etc etc etc
            }

            if (
            $sqlhandle)
            {
                
            mysql_close ($sqlhandle);

            Comment


            • #7
              as with everything to do with security, nothing is completely secure, and to what lengths you go should depend on the value of what's being protected.
              Having the password in a file not inside the web-root (as guelphdad suggests) means that should your web-server fail to server .php files properly for some reason (someone editing the apache conf and screwing up), your passwords won't appear when people view pages.
              Taking this one step further, some applications will have all php files outside of the web-root, save an index page which resides in the www directory (along with images and css and such things) which handles including everything else.
              My thoughts on some things: http://codemeetsmusic.com
              And my scrapbook of cool things: http://gjones.tumblr.com

              Comment


              • #8
                Another and wise thing to do regarding database security and comprimised passwords is to have a database user who has restricted permissions to your database. ONLY what is required. For the frontend that could be as simple as read/insert (opposed to creating a db user and giving them ALL permissions via cpanel).

                I'm often guilty of not doing this myself though as it becomes a pain in the arse - but it is something to think about post-development wise anyway.
                Active PHP/MySQL application developer available for immediate work.
                syosoft.com mavieo.com - Remote Web Site Administration Suite - Reseller Ready

                Comment

                Working...
                X