How can I secure my db connection script and config files. I generally have a dbconnect.php and a conf.inc or something like that. the dbconnections script gets the host, username, and passwords needed to connection to the db from variables stored in conf.inc. how can I secure these kinds of sensitive files so that they cannot be touched (or seen) by anyone except apache? Obviously the info in conf.inc is all someone would need to get into my db and have their way with it. Is it just a matter of placing these files in a subdir and locking down the linux permissions on that directory? if so, how would I set up my linux permissions to do this, and still let apache have access to them. I'm not really the best at setting up linux permissions. I think the first step would be to disable directory listing in apache with the .htaccess. but what else do I need to do?
thanks in advance.
Well, you shouldn't just use .inc. You should add .inc.php so that it won't be displayed. Other than that, why worry? If you don't use any echo statements, nothing will show anyway. If you are still worried, check google for different numbers to use.
Yeah, thats pretty much what I've been relying on up until now. but what i'm kind of worried about is if someone could download the actual files themselves and not just view what php displays. I guess I'm just worried that if the server gets hacked, and someone gets a hold of those files, they could do some damage. so I want to lock those down as best I can.
some old IIS server where I work has been hacked a couple of times now. I know that my redhat and apache servers are a lot more secure than IIS, but I still wanted to look into every option for securing our data.
Don't ever use root for any normal database operation. And set database-specific users. Example:
yjwong_mambo can access the database yjwong_mambo, but not other databases. This does not secure your database, but prevents larger damage to your database. Do your backups frequently to prevent lots of data loss.