Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

php security

Are my passwords secure?



10:20 am on Mar 10, 2005 (gmt 0)

10+ Year Member

My login and password information is embedded in some of the PHP scripts.

All of my PHP scripts are in the "public_html" directory.

Are there any scenarios where someone can obtain those scripts without executing them? (and thus get my complete login information for credit card processor)


2:07 pm on Mar 10, 2005 (gmt 0)

10+ Year Member

If your server were to crash there is the possibility that your PHP code would be exposed, showing users the path to the file with your passwords and allowing anyone to view them.

Instead, place your password file outside of public_html.


If you move the file to 'secure' folder you can still include it from public_html by:

require ('../secure/mypasswords.php');


10:51 pm on Mar 10, 2005 (gmt 0)

10+ Year Member

Thank you for the reply!

What makes the other folder secure(er)?

Do I password protect it?
Set permissions differently?

I've got it working (thanks) just trying to understand more of the security concerns


1:50 am on Mar 11, 2005 (gmt 0)

10+ Year Member

In the example notsleepy gave, what makes the other folder secure is that it is outside your public_html directory -- i.e., let's assume you have a home directory, and inside your home directory is public_htm (where you put your web site files). You put your "secure" folder in your home directory, but not inside public_html.

Anything in that directory is not accessible from a browser. Thus, it will be pretty secure from anyone accessing the server via a browser.

But keep in mind that depending on how the server's file system security is set up, other users on the server may be able to access those files through the file system. Ideally, they shouldn't be able to, but on some servers it's possible. But it would be inaccessible from a browser.


4:21 am on Mar 11, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

In addition to the previous posts ...

Your web server runs as user "nobody" or "apache" (if you're using Apache).

If a malicious intruder guesses the password for user "nobody" or "apache", they have read/write access to any file that "nobody" or "apache" has access to. Which means ...

They can now read/modify any file accessible by your web server's "user", including any files stored in directories accessible by "nobody" or "apache".

By storing the sensitive files in an alternate directory, preferably outside of the "normal" web server directories, you have the opprtunity to restrict access to sensitive files, or to at least establish a different authorization mechanism for those files, which reduces the chance that they will be compromised.

You can usually set up any authentication mechanism (i.e. mysql login) in a less-susceptible directory, and use the various PHP authentication mechanisms to get into those sensitive directories by using a different username/password combination from the default web server username/password combinations ... reducing the chance of compromise.

Check out the various encryption methods available to you in PHP, realizing that many of them have been compromised on a global basis, for specific instances at a very profound level. For example, SSH0, SSH1, MD5 and others have been found to be able to be compromised by very sophisticated, very specific ways ... probably not for you to worry about in day-to-day implementations, but worth researching.


4:34 am on Mar 11, 2005 (gmt 0)

if your on a shared host it may be possible for the other users to fish for the file. Esp. if your not running phpsuexec or something similiar.


11:16 am on Mar 11, 2005 (gmt 0)

10+ Year Member

Many thanks for all the replies!

Looks like it won't be as simple as I had hoped...but when is it?

(I guess setting up the credit card wasn't as hard as I'd expected)


Featured Threads

Hot Threads This Week

Hot Threads This Month