FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Storing MySQL connection data securely and conveniently





Gregoric
Hello again Frihosters

I have read tons of tutorials about connecting to MySQL database but all of them explained only basic way to do it. Now, when I want to have my connection data (host/server name, password, etc.) secure and easily accessible from my scripts, I am not sure how to achieve that.

I am going to use separate class to connect and work with MySQL data so in this case, the class itself stores all the required connection data as private variables. My question - is it secure?

Another thing came into my mind. If I would like to let other users easily use my script, I have to let them set their MySQL connection themselves. The way I want to do this (and how do I do that at the moment) is to store all those connection variables as constants (define with PHP) and then include the file to others that require that data. This way, other users can modify MySQL data with ease but again question - is it secure?

Thank you for all upcoming advices!
Bondings
If someone has access to the file (can include it), then it can see the contents including password. With php you do echo "file.php" and it will show that file.
Gregoric
Bondings wrote:
If someone has access to the file (can include it), then it can see the contents including password. With php you do echo "file.php" and it will show that file.


So let me show you something what I have found some time ago and use till now, it's kind of basic authentication. I have file A.php and B.php. B stores the connection and configuration data. In A.php I define some constant, let's say - includeCheck. File B contains statement that checks if 'includeCheck' is already defined. If not - it exits;. So, every file that would like to include the B.php must define 'includeCheck' firstly. Is it safe enough? Of course, only person that has manual access to the server is me but question is if someone else can see contents of B.php?
Bondings
Gregoric wrote:
Bondings wrote:
If someone has access to the file (can include it), then it can see the contents including password. With php you do echo "file.php" and it will show that file.


So let me show you something what I have found some time ago and use till now, it's kind of basic authentication. I have file A.php and B.php. B stores the connection and configuration data. In A.php I define some constant, let's say - includeCheck. File B contains statement that checks if 'includeCheck' is already defined. If not - it exits;. So, every file that would like to include the B.php must define 'includeCheck' firstly. Is it safe enough? Of course, only person that has manual access to the server is me but question is if someone else can see contents of B.php?

It depends on what exactly you wish to do. If you provide the ability to other people to write some php code (like a php file), then they can access pretty much all your files. You can check for the variable, but they can simply read the file.

Let's say they upload the following php file example.php:
Code:
<?php
$myFile = "B.php";
$fh = fopen($myFile, 'r');
$theData = fread($fh, filesize($myFile));
fclose($fh);
echo $theData;
?>

It will display the php file in the browser.

If someone is able to upload a php file somewhere in your account or some other way execute some php code, you should assume that they have access to everything in your account. It's not completely everything, but close.

If you are afraid that someone goes to your website url (or in a script) and executes yourwebsite.com/B.php, then what you are trying to do will prevent them from executing the rest of the file. However unless B.php causes any modifications or outputs any data, this is not even needed (but you can leave it just in case).
Gregoric
I haven't said exactly what I mean. By 'letting others use my program' I mean sharing whole script to let others install it on their desired server and modify configuraton file (B.php from the example) manually. Something like CMS. Protecting files with this method in this case may be obvious for you but I just wanted to ask to be sure.

Also, what chmod should I use on folders and files? Do you know some tutorial explaining all the privileges? Or it is so simple that you can show me the way I should use it here?
xpcpro
http://php.net/manual/en/function.chmod.php for the chmod.
Are you trying to let others put one file on their servers and access one on yours ?
imagefree
The question arising here is what do you mean by secure?

How will you share your database class with other? are you talking about opensource?

Without relevant information, i can suggest only the following. Check if it applies to your scenario:

1. Keep your secrets outside the public director (mostly public_html).

2. Immediately unset( ) connection data after setting up a connection. So, use variables for keeping connection data.

3. Keep the connection data independent from class, so that more than one servers can be connected to, or the class can be used by more than 1 users.

4. The security of your connection data depends upon the security of your server. If someone can readfile( ) your php files (as bondings said), then any security measure is useless. You cannot encrypt/decrypt your data because encryption/decryption code can also be read using readfile( ).

So, it all depends upon what you are going to do, and what do you mean by security, and what is the level of access other users have.

Further details from your side could be helpful in understanding scenario.
cLean
imagefree how could i check if a user could use readfile() on my server(s).
Also when you say keep the connection data independent from class do you mean
Code:

class example {

$conn='blahconnectionstatus';
if ($conn == blahconnectionstatus) {
  echo 'job well done you are becoming unsecure';
}
Related topics
mysql connection question
php and mysql connection in flash based website
MySQL connection
Suppressing mysql error
using SSL
A very good PHP MySQL Tutorial
MySQL HELP!!
MySQL database
How can I secure my MySQL connection script and config files
make a backoffice
Lineage II (C4 chronicle)
MySQL Problem
Login system doesn't work
CMS without MYSQL
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.