9

As my server is getting a bit bigger, and more users are getting access to it, I don't want them to see the password that MySQL is using to connect to PHP, which is stored in my 'connect.php' file and required by every page. However, it is just sitting in the same directory as the rest of the php files.

I've considered using a second 'connect.php'-like file with access to only one table, that stores the encrypted passwords to connect to MySQL, but then I would have the problem of hiding the key to it.

Changing permissions won't work either, if you chmod o-r or something similar, nobody will be able to access the web application, obviously.

Is there an accepted method to get around this problem, or should I just solve it on my own? The problem is that I don't want it to be too convoluted if there is an accepted method.

Ryan Ward Valverde
  • 6,458
  • 6
  • 37
  • 48

6 Answers6

8

I would strongly recommend moving connect.php in one directory above your DOCUMENT_ROOT so that it is not accessible from your web server.

Your php files can of course include connect.php with full or relative path eg: 

require_once('../connect.php');
anubhava
  • 761,203
  • 64
  • 569
  • 643
7

All the answers have good advice but fail to address the fact that any user with server access can just snoop around and open the config.php in an editor.

Set your config files in a directory outside of public webspace , the webserver should be the owner of this directory and it should have permissions set to 700. All files it contains should be 644. This way no one can even read the file contents apart from webserver user or root.

This is a common approach, but there is a lot more to the subject as security is a very vast topic, but is better than 90% of the setups out there.

Stephane Gosselin
  • 9,030
  • 5
  • 42
  • 65
  • In this case, we are assuming that root:root is the owner, right? So, when I tried `chmod`ding it the way you said, the website became restricted so nobody can see it. – Ryan Ward Valverde Jun 08 '11 at 16:44
  • 1
    On what distro? On a lot of linux distros, apache user is www-data, so www-data will not be able to open root's folders. Use `top` or `ps` and check the user your apache runs as, and that is the user that has to own the configuration folder. This is the tightest and most effective security mesure I know of for configuration files. – Stephane Gosselin Jun 08 '11 at 16:52
  • Using Ubuntu for now, until we get a hardware upgrade. Checking out these suggestions. – Ryan Ward Valverde Jun 08 '11 at 16:57
  • On Ubuntu, as per the documentation `The default value for User is www-data.` Make sure to have config folder _outside your webpath_ and add the folder to your [include_path](http://www.php.net/manual/en/ini.core.php#ini.include-path) in php.ini. – Stephane Gosselin Jun 08 '11 at 17:12
  • That works the best. The connect.php is totally unviewable by non sudoers, this is really great. Thanks a lot. – Ryan Ward Valverde Jun 08 '11 at 17:19
  • Of course, if anyone else has access to the webspace, they could write a PHP script that reads that file – vpzomtrrfrt May 27 '20 at 14:27
2

Set $password, connect, then unset() $password. They should be never able to recover it. I don't think a PHP file can be downloaded anyway, neither seen. It is always compiled by the server before.

Shoe
  • 74,840
  • 36
  • 166
  • 272
  • This'd only have any value if - for some reason - you'd allow third-party code to run on the same PHP instance / in the same set of scripts, in which case there's probably a million other security reasons you should be concerned about. – cthulhu Jun 12 '11 at 20:09
2

The content of server side files cannot be obtained by users, unless you show it to them willingly (or by mistake).

Most likely any compromise would come via FTP access in which case a hacker would have access to all files on the webserver anyway.

cusimar9
  • 5,185
  • 4
  • 24
  • 30
  • 1
    It has occurred many times (I believe it recently happened on Flickr or some big site like that) that the PHP runtime momentarily fails, causing Apache to send the files over as plaintext and thus, a user to view the passwords. – cthulhu Jun 12 '11 at 20:07
2

Move it to a folder after the root of www, such as www/includes. From there, you may use htaccess to block permission for viewing files under /includes.

After connected to the SQL database, use unset($username, $password) so that there is no security threat of someone echoing the username of password.

Finally, it's always best to have dedicated hosting so that nobody else with access to the web server can potentially view other user's files.

gpresland
  • 1,690
  • 2
  • 20
  • 31
0

Alternatively, you could get rid of passwords altogether and configure the DB server that only connections from localhost are accepted. This'll only work on dedicated hosting though, it's a security risk if you're on shared hosting.

cthulhu
  • 3,142
  • 2
  • 23
  • 32