homepage Welcome to WebmasterWorld Guest from 23.22.217.122
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
php security
Are my passwords secure?
wildeyedfrank




msg:1272794
 10:20 am on Mar 10, 2005 (gmt 0)

My login and password information is embedded in some of the PHP scripts.

All of my PHP scripts are in the "public_html" directory.

Are there any scenarios where someone can obtain those scripts without executing them? (and thus get my complete login information for credit card processor)

 

notsleepy




msg:1272795
 2:07 pm on Mar 10, 2005 (gmt 0)

If your server were to crash there is the possibility that your PHP code would be exposed, showing users the path to the file with your passwords and allowing anyone to view them.

Instead, place your password file outside of public_html.

public_html
secure

If you move the file to 'secure' folder you can still include it from public_html by:

require ('../secure/mypasswords.php');


wildeyedfrank




msg:1272796
 10:51 pm on Mar 10, 2005 (gmt 0)

Thank you for the reply!

What makes the other folder secure(er)?

Do I password protect it?
Set permissions differently?

I've got it working (thanks) just trying to understand more of the security concerns

sonjay




msg:1272797
 1:50 am on Mar 11, 2005 (gmt 0)

In the example notsleepy gave, what makes the other folder secure is that it is outside your public_html directory -- i.e., let's assume you have a home directory, and inside your home directory is public_htm (where you put your web site files). You put your "secure" folder in your home directory, but not inside public_html.

Anything in that directory is not accessible from a browser. Thus, it will be pretty secure from anyone accessing the server via a browser.

But keep in mind that depending on how the server's file system security is set up, other users on the server may be able to access those files through the file system. Ideally, they shouldn't be able to, but on some servers it's possible. But it would be inaccessible from a browser.

StupidScript




msg:1272798
 4:21 am on Mar 11, 2005 (gmt 0)

In addition to the previous posts ...

Your web server runs as user "nobody" or "apache" (if you're using Apache).

If a malicious intruder guesses the password for user "nobody" or "apache", they have read/write access to any file that "nobody" or "apache" has access to. Which means ...

They can now read/modify any file accessible by your web server's "user", including any files stored in directories accessible by "nobody" or "apache".

By storing the sensitive files in an alternate directory, preferably outside of the "normal" web server directories, you have the opprtunity to restrict access to sensitive files, or to at least establish a different authorization mechanism for those files, which reduces the chance that they will be compromised.

You can usually set up any authentication mechanism (i.e. mysql login) in a less-susceptible directory, and use the various PHP authentication mechanisms to get into those sensitive directories by using a different username/password combination from the default web server username/password combinations ... reducing the chance of compromise.

Check out the various encryption methods available to you in PHP, realizing that many of them have been compromised on a global basis, for specific instances at a very profound level. For example, SSH0, SSH1, MD5 and others have been found to be able to be compromised by very sophisticated, very specific ways ... probably not for you to worry about in day-to-day implementations, but worth researching.

vabtz




msg:1272799
 4:34 am on Mar 11, 2005 (gmt 0)

if your on a shared host it may be possible for the other users to fish for the file. Esp. if your not running phpsuexec or something similiar.

wildeyedfrank




msg:1272800
 11:16 am on Mar 11, 2005 (gmt 0)

Many thanks for all the replies!

Looks like it won't be as simple as I had hoped...but when is it?

(I guess setting up the credit card wasn't as hard as I'd expected)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved