WebApp Sec mailing list archives
Re: MYSQL and PHP
From: "Jason Ross" <algorythm () gmail com>
Date: Mon, 15 May 2006 20:58:55 -0400
On 5/15/06, John Madden <chiwawa999 () yahoo com> wrote:
Is it standard to use INC files to store MYSQL db connections settings (username and password)?
Yes, it is very common.
What else could you do to make this "safer" ?
If done correctly, there's nothing wrong (imo) with using an include file. "Correctly" generally means at least the following: - the include file is in a directory that is *not* accessable to the web server - the file has permissions at the file system lever such that only the appropriate user(s) are able to read it (on a unix box I typically set them to `chmod 0750` where the group is the webserver group and the user is set to the owner of the file ... and arguably the executable bit is not even needed for the owner) PHP is file system aware, so files which are included do not need to be in a directory the web server is serving to the internet. This is one reason why putting db login and other sensitive information in one (rather than in the script which is being executed by the server and displayed to the browser) is a good idea.
I presume Apache looks for files with extention "*.INC" and does not processes them, right ?
IIRC, by default apache will server anything it is not configured for (or able to determine using the mime-magic module) with a mime type "text/plain". This would mean that the .inc file is likely to be served up as a plain text file if it is in a web accessable directory. One practice I've seen is to name the file <foo>.inc.php which forces the script to be passed to PHP for parsing. This may help (presuming PHP is correctly installed and configured for the server), but it is much better to simply not allow the web server to serve up the include file to the browser (I tend to do both things). -- Jason Ross GPG key: 0xF80C38B6 ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Re: MYSQL and PHP, (continued)
- Re: MYSQL and PHP Mark Sanders (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Todd Hendricks (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP bugtraq (May 16)
- Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)
- Re: MYSQL and PHP Ed J. Aivazian (May 17)
- Re: MYSQL and PHP wilson . amajohn (May 17)
- RE: MYSQL and PHP Wall, Kevin (May 18)
- Re: MYSQL and PHP Σπυρίδων Νίνος (May 20)
- Re: MYSQL and PHP s89df987 s9f87s987f (May 21)