FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Web service username/password safety





jmraker
I often write programs that use web services like UPS/authorize.net/paypal/etc where each one has username, password, api key, whatever key.

I like to store those values in a config file (a php file) in some misc directory
I've also seen it done by storing the stuff in the mysql database.

Which do you think is safer, in a file or in the database? where one can get stolen in a FTP/command prompt hack, and the other could get stolen with a database hack
Diablosblizz
Well, it depends. Do you have the passwords / usernames encoded, and are they encoded more than once? I would go with MySQL, it's a bit less hackable.
kv
I wouldn't store plain text passwords/keys/etc either in database or text files. It is always better to ask user for sensitive information everytime. If not possible, use some encryption algorithm which allows private/public key pair. You can store public key and encrypted sensitive data in either db or file (even if it is hacked, it will not make sense unless you have private key). Ask for private key to be passed by user (may be once per session or so). Then use the info to decrypt the sensitive data.
jmraker
kv wrote:
I wouldn't store plain text passwords/keys/etc either in database or text files. It is always better to ask user for sensitive information everytime. If not possible, use some encryption algorithm which allows private/public key pair. You can store public key and encrypted sensitive data in either db or file (even if it is hacked, it will not make sense unless you have private key). Ask for private key to be passed by user (may be once per session or so). Then use the info to decrypt the sensitive data.


The password/keys/etc is for the client's company paypal/authorize.net account so the program can bill a credit card, UPS so it can calculate shipping charges, etc so it use a site's geocoding, all stuff done in the background, sometimes in a cron job

I guess the question also applies to the database's username/password used for connection, but obviously that can't be stored in the database it connects to.

My logic for doing it in files is.
. A SQL injection attack could be used
. If the site files are hacked so the php files are stolen/read/edited, the database can also be at risk
. . They can get the database username/password
. . They can get the encryption key that decrypts their customer's credit cards in the database
. . They could write a backdoor program into the database

If my config file looks like
Code:

<?php

   define('paypal_username', "ClientCompany001_api1.hotmail.com");
   define('paypal_password', "Fctf2bCa6dfg2oOc");
   define('paypal_signature', "da7reo4bQaeoce3gd4EdbNd7Io8f5oRdf6c2cVcJBaDjmAd1ed1aTct5eJbK");
?>

How should I go about encrypting it so it's safer?
kv
In this case, I guess encryption is not a solution, since you will have to decrypt it before using. And if you are using a weak encryption which does not require password to decrypt and is based on some algo, it is as good as no encryption.

If you are using a *nix box and apache, having data in php file and the file having permissions only for the user running apache should make it secure enough.
riccopt
for some reason I like using htacces combined with htpasswd to make the directories protected...
rvec
that wouldn't really change anything here.

Don't know how anyone would read from a php file anyway, besides access to the server, but wouldn't he be able to make a new php file and execute that with apache? or a serious exploit in your code, but in that case he could read the file just like apache could.
rockacola
Have a look on how other CMS or Forum board does this and learn from them.

Razz
kacsababa
If somebody has access to your files then you lost there.
Your php application should reach the database so you need to store the username, password somewhere to that too.
Protect your directories and always give minimum permissions everywhere.

Try use some uniqunes on that how you encrypt your passwords, for example more then once encryption, salt using and where you put the salt.

Always make sure to check the validy of the information which comes to your application.
On this vulnerability search for "SQL Injection", "XSS Attack" or "XSS Hack" and "CSRF" and "XSRF" attacks and that how can you protect yourself from these. These are the most common attacks on the "frontline".
mahirh
first of all , use a perfect password so that no one can guess it then try using crypt() function in php since it doesnt have a decrypt function , no one will ever be able to see you password even if they have access to your file http://www.php.net/manual/en/function.crypt.php , since there is no decryption, it has a one-way algorithm
Related topics
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.