Database passwords and download programs

Forum Moderators: rogerd

Message Too Old, No Replies

Database passwords and download programs

securing your database passwords

silk

4:14 am on Oct 5, 2004 (gmt 0)

Ok i'm interested in a minor issue here. There are certain programs that allow a person to download an entire website so it functions as the whole website offline. Do these programs download all your php scripts as well? If they do, then a lot of logic can be compromised. I suppose this is why i was advised to move my "config" file with all my database info, outside the site root. What i don't fully understand is, how will this prevent a program such as winTTrack from downloading such a file. I am not familiar with the inner workings of this or similar programs.

I plan to test this out myself as soon as i get a little time.

So, if some experienced Mod or Admin can advise me on how to properly secure sensitive data in php scripts.

Thanks in advance

Dave_Palmer

5:59 am on Oct 5, 2004 (gmt 0)

Interesting subject! I can't imagine how an external program could copy the functionality of typical forum software ... for example, in phpBB and other script-driven fora, the end-user only sees the data parsed from the program, not the program itself. Moreover, all of the data is stored in a database, and can only be extracted via the forum scripts. To me, as long as the server is running properly (and running the .php files as programs rather than displaying them as text), it would be extremely difficult to download a whole forum site.

That being said, a few months back I did have a customer's server go nuts and start displaying php files as text, which subsequently left open the config.php (containing database passwords) to the public -- for anyone who knew where to look. It was an easy fix to temporarily hide that file, but ever since then I've been somewhat nervous about that information becoming available.

I do recall reading that it's possible to encode passwords as environmental variables on the server, so that they won't be visible in the script files ... but that won't prevent anyone who has the opportunity to run a malicious script from finding the hidden info.

Overall, I don't think that there's much chance of having your critical forum site files downloaded, but I'd be interested in the other's perspectives in the group!

Best,

Dave

tomda

6:04 am on Oct 5, 2004 (gmt 0)

The websites' grabber softwares do not download your php script, which a server-side script. It will only download your html files (client-side) generated by your server.
Such soft will browse the all of your website, check if the dynamic url has already been spidered, if not it will save a new html file. Because it is HTML (and offline), no way they can read your php, get sensible datas by accessing your databases, etc..

Normally, nobody can access your database file in the root.

Just try the soft and see the result

silk

6:18 am on Oct 5, 2004 (gmt 0)

Lol, sorry about not being absolutely clear on what i wanted. My bad, i'm just like so busy, right now.

No, the functionality of the forum can't be downloded. But files can be. I once downloded an entire site on JSP to learn it. I was wondering if someone attempted to download my website, the folder with the forum might be downloded to. If that happens, then the config file is compromised. Now i have been advised to move the config file (for phpbb2) OUTSIDE the site root. I'm interested in knowing if that will stop john doe and winHTTrack from accessing the config file with all the database connectivity info. Also, there will obviously be some logic in php files, maybe even CSS files that a webmaster will not want disclosed for whatever reason.

How does one prevent files, in particular php scripts from being downloaded by such programs.

silk

6:24 am on Oct 5, 2004 (gmt 0)

ok thanks....thanks...

So the php scripts are safe....:) :) Thx!

i suspected that they don't download php files. Planned a test myself, just buried in work.

Muchas gracias to all that replied....Bless!