Ok, I need some help. Basically I'm learning mysql and php. I'm doing good so far but I have a security concern. To connect to a database, I have to put the username and password for that db in a php file. The problem is that anyone that logs into this machine can just open the file up and look at it to see the user name and password. I don't like that hehe. I can't get rid of the read attribute because then I can't use that file... how can I prevent an user in my server from looking in this file? How do I protect the username and password? Thanks.

Joey

What about making a hint instead of putting the actual password in. Put the username in but for the password make a question out of it in notes. I dont know how you insert notes in php(# or //) but that should work.

Thanks but I can't do that. The file needs to have the username and password or else it won't be able to access the mysql database to retrieve or insert data in to it. I just need to do something so others can view the file.

chmod 600 or chmod 700 if it's executable. This allows only root read-write or read-write-execute on the file.

Another way is to place the file in a folder where .htaccess denies access to anyone except root.

Make it readable by the process that runs Apache only (either nobody or apache as configured in your httpd.conf file). That is, 'chown apache.apache [your-phpfile]' then 'chmod 600 [your-phpfile]'

Thanks, your guys rule. I changed it to user/apache with chmod 600 and that works like a charm. I should have thought of that! because it makes plenty sence. I'm going to look more into .htaccess to learn more about it as well. Thanks.

i'm trying to do the same thing but on a webhost so i'm not sure that i can do the chown. i chmoded to 600 via ftp and i can still read my include file. i usually just put my sensitive include files in a directory above the html root but this host doesnt have their directory stucture setup to allow that.

what can i try with htaccess?

Use MD5-hashed passwords?

Hash the password on the client side (or on the server side, after receiving it, either way should work except that hashing on the client side is slightly more secure, because attackers can't read the plaintext password in transit), and compare to the MD5 hash that you store in the .php file (or whatever it is).

To be even more secure, skip out on MD5 and use SHA-256 or SHA-512 instead. They're much better hashes, security-wise.

This way, if somebody reads the hash, they'd still have to give the server the cleartext password that hashes to that value. And finding that is going to take an extremely long time with a cryptographically secure hash function (like SHA-256 or SHA-512 -- heck, it'll take a good long time with MD5 also). The attacker is then reduced to brute forcing their way in (which they could always do anyway).

.htaccess is something that Apache honors, not the filesystem, so it won't help if the user is logged in to the box via ssh or something like that. But maybe that's not a concern...

either you misunderstood my situation or i have no idea what you're talking about :)

the server isn't mine at all. its a webhost for a company i'm working for. the passwords i'm trying to secure are the ones for the php to mysql connection. how could i go about hashing those and still be able to make the mysql connection?

Moved to the Web/Security forum where other Apache/PHP questions are located as it makes it easier for others to find solutions to their problems when forum searching.

You should also change the extension to something like .inc (for include) instead of .php, then use htaccess and the httpd.conf file to not allow files of that type to be downloaded/displayed.

Originally posted by nouse66
the passwords i'm trying to secure are the ones for the php to mysql connection. how could i go about hashing those and still be able to make the mysql connection? Oh, you're right, I missed that. I thought you were trying to authenticate users on your own (comparing the password given to you in a form to one stored in the .php file).

OK, never mind that idea then.

Originally posted by ph34r
You should also change the extension to something like .inc (for include) instead of .php, then use htaccess and the httpd.conf file to not allow files of that type to be downloaded/displayed.

what can i do with htaccess to hide the files?