LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 03-10-2006, 04:13 PM   #1
dubya
Member
 
Registered: Mar 2004
Location: Kitchener, Ontario, Canada
Posts: 386

Rep: Reputation: 30
Sensitive MySQL info in readable PHP file


Hi,

I have a personal website written in PHP whose content I control through a MySQL database. On each page I call a function to connect to the database. This function contains my database username and password in plain text, in order to connect. I didn't realize it, but anyone else with a user account on the server could easily browse into my public_html directory and take a look at the file containing this function, which would reveal my username and password.

Changing permissions won't work because the file with the function needs to be readable by all in order to include it in public files. I've thought there might be a way to leave the function public while hiding the username and password in a global variable defined elsewhere, hidden.

I've been doing this for a while but didn't realize the possible security breach until recently and haven't found a solution yet although I'm sure one must exist. Any help would be greatly appreciated.
 
Old 03-10-2006, 08:39 PM   #2
PenguinPwrdBox
Member
 
Registered: Oct 2003
Location: /illinois/chicago
Distribution: Slackware/Gentoo/FC/RHEL
Posts: 568

Rep: Reputation: 30
Quote:
I've thought there might be a way to leave the function public while hiding the username and password in a global variable defined elsewhere, hidden.
chown it to apache:apache, chmod 400
 
Old 03-10-2006, 08:49 PM   #3
dubya
Member
 
Registered: Mar 2004
Location: Kitchener, Ontario, Canada
Posts: 386

Original Poster
Rep: Reputation: 30
chown returns says that apache is an invalid user. Do I need to be root to do this? Because I don't have root acces, only regular user access.
 
Old 03-11-2006, 12:34 AM   #4
paulsm4
Guru
 
Registered: Mar 2004
Distribution: SusE 8.2
Posts: 5,863
Blog Entries: 1

Rep: Reputation: Disabled
Hi -

PenguinPwrdBox is saying that, if you have confidential information (like a password) in your .php source file, then you need to restrict who can read that file.

Of course, he's right.

When he said "chown apache:apache myfile.php", he meant to change to whatever username/group your web server runs in. It's often "apache/apache", but you'll need to find this out yourself.

When you say "I don't have root privileges", you don't necessarily need to be "root" ... but you DO need enough privileges to change the your file's owner/group.

And having changed it, you'll probably want to be a member of the group that can still read (and preferably also modify) your source file.

'Hope that helps .. PSM

Last edited by paulsm4; 03-11-2006 at 12:35 AM.
 
Old 03-11-2006, 09:10 AM   #5
Hko
Senior Member
 
Registered: Aug 2002
Location: Groningen, The Netherlands
Distribution: ubuntu
Posts: 2,530

Rep: Reputation: 108Reputation: 108
You could also try to have the PHP script read the file using fopen() + fread() or fgets().

You can then store it in another directory, and it it doesn't have to readable by the public ("other"). But you'll do need to find some way to make it readable by the web-server (apache) some way.

BTW, on Debian apache doesn't run as user "apache" but instead as "www-data".
 
Old 03-11-2006, 09:18 AM   #6
graemef
Senior Member
 
Registered: Nov 2005
Location: Hanoi
Distribution: Fedora 13, Ubuntu 10.04
Posts: 2,379

Rep: Reputation: 148Reputation: 148
Quote:
Originally Posted by Hko
You could also try to have the PHP script read the file using fopen() + fread() or fgets().
Yes but including or requiring the file is much simpler to code.

PHP Code:
require_once "password.inc" 
 
Old 03-13-2006, 03:16 PM   #7
taylor_venable
Member
 
Registered: Jun 2005
Location: Indiana, USA
Distribution: OpenBSD, Ubuntu
Posts: 892

Rep: Reputation: 40
But even in this case (reading from a separate file), the password file still needs to be readable by the webserver, which puts it right back into the same situation as if the info were directly in the PHP file itself. (And using a PHP include statement, it technically is.)

The reason this kind of information isn't exposed is because any PHP file getting sent out by the web server gets processed before it is sent out. Hence, your password can't be seen unless it is downloaded using an alternative (e.g. FTP) method. Of course, any sensitive data of this nature should not be publicly accessible by any method other than HTTP or HTTPS.
 
Old 03-13-2006, 03:31 PM   #8
dubya
Member
 
Registered: Mar 2004
Location: Kitchener, Ontario, Canada
Posts: 386

Original Poster
Rep: Reputation: 30
I'm confident that in order to access this file, you need to have a valid login to the server, not just anonymous. The appropriate user name is indeed www-data, but I don't have the permission to change the file's owner. Putting the information in a separate file then including it or using fopen simply, as taylor stated, puts me in the same situation as if the info was in the same file.

How is this usually done on websites where security is a big issue? I realize a big problem here is that there are many users that I don't know who could access the file instead of being able to control the users on the server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Convert an info file(bash.info.gz) to a single html file Darwish Linux - Software 2 09-24-2005 06:51 AM
LAMP(Linux,Apache,MySql,PHP) and other info hamtavs General 1 01-25-2005 03:54 AM
php4 mysql, installation, php-pages with mysql info stay empty dnla Linux - Software 2 03-14-2004 02:54 PM
mySQL LIKE search is case sensitive? icepig Linux - Software 4 11-14-2003 04:29 PM
PHP & MySQL getting info from text file neon Programming 1 10-15-2003 12:34 AM


All times are GMT -5. The time now is 05:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration