Re: PHP and MySQL passwords
From: Ryan Hubbard (ryanmhuc_at_yahoo.com)
Date: 02/11/04
- Next message: andre: "Re: Using PHP with posted form"
- Previous message: Bruce Hartweg: "Re: Regular Expression Help Needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 11 Feb 2004 11:10:56 -0800
Mr Newbie,
Please do not take Chris Dingman as a good solution, sorry Chris.
I'll assume your on a linux system with apache as your webserver.
First you have to ask yourself a couple of questions?
Is you server shared or dedicated???
If it is shared is PHP running as a module or cgi?
If its a cgi is their an suexec or cgi wrapper in place?
If theres not suexec or cgi wrapper = security problem
What does all this mean? If you are the only one with access to the
server then Chris's solution if fine if others have accounts on the
server they can read any file with permissions of **4 or higher.
If its running as a module
--------------------------
If you code the user/pass in a file anyone with an account on the
server can read this file since it must be readable by the apache user
(usually nobody, www or apache) and therefore is apache user readable
or world readable. If it it only readable by apache then someone can
simply wright a script to retrieve the file contents.
If you move the login information to a seperate file you can place
this file anywhere but it STILL MUST BE READABLE by the apache user
account and therefore anyone with an account can gain access to this
file either by reading it directly or by writing a script to read it.
If its running as a CGI
-----------------------
If there is a cgi wrapper or suexec running the php scripts then the
scripts are run by the user account. Therefore you can place the
login info in a seperate file and give it permissions 400, 600 or 700
and your script can read this info but no one besides your account can
read it. THIS IS SECURE. If there is no wrapper or suexec running
the script then once again the scripts are run as the apache user and
you have the same problem as the module case.
WHY don't they run it as a CGI with a wrapper you ask? Because it is
a performance issue. A huge performance issue. Running it as a
module can be 100's of times faster then by loading it as a CGI
binary.
There really is no good solution for storing user/pass info when its
running as a module (There are a couple of ways of using a cgi-gateway
script to utilize security of php or perl as a CGI while gaining a
good amount of speed by the php module but that solution is beyond the
scope of this post). If you have to do it on a shared server with php
as a module atleast store the passwords as a hash in a directory that
is not web accessible so their not in plain text (Secure...no but its
a step).
- Next message: andre: "Re: Using PHP with posted form"
- Previous message: Bruce Hartweg: "Re: Regular Expression Help Needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
