security concern

garikr

New Member
Messages
46
Reaction score
0
Points
0
I have a simple php/mySQL project, there is a file with a few constants which I include on every page. Among other things it contains mySQL password. Recently I've realized that it was accessible by everyone and changed it's permissions to 600. Is that enough? What's the best way to store passwords of that nature?
P.S. Sorry if I've posted this in the wrong place.
 

descalzo

Grim Squeaker
Community Support
Messages
9,375
Reaction score
327
Points
83
Create a directory

/home/garikr/includes (or name of your choice)

and store the file there. That way, Apache will not be able to serve the page directly
 

garikr

New Member
Messages
46
Reaction score
0
Points
0
Ty. So if I uderstand this correctly the apache access the folders as Other and php can access any file in my hosting derrictory. Can I set up a derrictory accesseble to only users, registered on my site? Maybe set up a Workgroup somehow. Can appache access folders with alternative credentials?(with Workgroup access as opposed to Other). Hope I'm making sence.
 

descalzo

Grim Squeaker
Community Support
Messages
9,375
Reaction score
327
Points
83
Apache can only 'see' into public_html and subdirectories.
It does so as 'other' (ie neither owner or group) so it cannot serve a file with 0770 permissions.
When it executes a script (php, perl, python) it does so as the owner of the script. So a script with 0700 permissions will execute.
PHP can include any file /home/yourusername and subfolders.

You can password protect directories in Apache. Anyone trying to directly access a page in the directory will have to supply a username/password combo that has been stored. ie, www.foo.com/secret/ can be protected. Users only have to supply the username/password once per session. It unlocks the entire directory, not just the first file requested.
 

xav0989

Community Public Relation
Community Support
Messages
4,467
Reaction score
95
Points
0
What you can do, to protect a file that needs to be included everywhere, is to add something along the line of
PHP:
if (!defined('SECURITY')) {
    exit("This is not an entrypoint");
}
And then add
PHP:
define('SECURITY', true);
at the top of each page that includes the protected page.
 
Top