WebApp Sec mailing list archives

Re: MYSQL and PHP

From: Todd Hendricks <djtrubeliever () comcast net>
Date: Mon, 15 May 2006 23:06:15 -0500

Name your files "*.inc.php" to prevent apache from displaying them. Asadded security, keep them out of the web root and access them usingabsolute paths (ie., if your webroot is /home/web/public_html/, storeyour includes in /home/web/includes). If you must have your files belowyour webroot, make sure to use an .htaccess file to prevent access tothe directory directly. Combine these three tactics and you should bein good shape.

For server-level security in shared hosting environments, if your webhost supports some sort of accelerator such as eaccelerator, ioncube, orzend encoder, encode your DB login information PHP files using that.And, as always, proper file ownership and permissions (user:apache, 640)are of primary importance.


- Todd

John Madden wrote:

Hi,

First off i'm not a PHP programmer but I would like to
know the following:
Is it standard to use INC files to store MYSQL db
connections settings (username and password)?
What else could you do to make this "safer" ?

I presume Apache looks for files with extention
"*.INC" and does not processes them, right ?

Thanks you

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application securityassessment by leading market research firm. Watchfire's AppScan is theindustry's first and leading web application security testing suite, andthe only solution to provide comprehensive remediation tasks at everylevel of the application. See for yourself.Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application securityassessment by leading market research firm. Watchfire's AppScan is theindustry's first and leading web application security testing suite, andthe only solution to provide comprehensive remediation tasks at everylevel of the application. See for yourself.Download a Free Trial of AppScan 6.0 today!


https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------

Current thread:

MYSQL and PHP John Madden (May 15)
- Re: MYSQL and PHP Mark Sanders (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Todd Hendricks (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
  - Re: MYSQL and PHP Robin Wood (May 16)
    - Re: MYSQL and PHP Gerald Quakenbush (May 16)
  - Re: MYSQL and PHP bugtraq (May 16)
    - Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)

(Thread continues...)