security concern

[garikr]

I have a simple php/mySQL project, there is a file with a few constants which I include on every page. Among other things it contains mySQL password. Recently I've realized that it was accessible by everyone and changed it's permissions to 600. Is that enough? What's the best way to store passwords of that nature?
P.S. Sorry if I've posted this in the wrong place.

 

[descalzo]

Create a directory

/home/garikr/includes (or name of your choice)

and store the file there. That way, Apache will not be able to serve the page directly

 

[garikr]

Ty. So if I uderstand this correctly the apache access the folders as Other and php can access any file in my hosting derrictory. Can I set up a derrictory accesseble to only users, registered on my site? Maybe set up a Workgroup somehow. Can appache access folders with alternative credentials?(with Workgroup access as opposed to Other). Hope I'm making sence.

 

[descalzo]

Apache can only 'see' into public_html and subdirectories.
It does so as 'other' (ie neither owner or group) so it cannot serve a file with 0770 permissions.
When it executes a script (php, perl, python) it does so as the owner of the script. So a script with 0700 permissions will execute.
PHP can include any file /home/yourusername and subfolders.

You can password protect directories in Apache. Anyone trying to directly access a page in the directory will have to supply a username/password combo that has been stored. ie, www.foo.com/secret/ can be protected. Users only have to supply the username/password once per session. It unlocks the entire directory, not just the first file requested.

 

[xav0989]

What you can do, to protect a file that needs to be included everywhere, is to add something along the line of

if (!defined('SECURITY')) {
    exit("This is not an entrypoint");
}

And then add

define('SECURITY', true);

at the top of each page that includes the protected page.