0

I have a curl script which logs into a website that I wrote in PHP to accomplish a task.

The problem is I have to store my password in plain text in a PHP file as so curl can use it to login correctly.

Is there any way I could encrypt that password, so if anyone else ever got onto FTP or anything, that if they were to look at the file where it's in they wouldn't be able to read the password, however, curl would be able to read it and still use it properly?

Thanks! M

David Zorychta
  • 13,039
  • 6
  • 45
  • 81
  • 1
    Is the curl script hosted on the same ftp as the password-file ? In this case the intruder could easily grab the decryption as well, so it'd be for nothing. Why don't you use an external sql to store the password? – Anonymous Oct 23 '11 at 04:06
  • 1
    @danontheline Where would you store the db user credentials? – ghbarratt Oct 23 '11 at 04:10
  • The first answer of the following question could help: http://stackoverflow.com/questions/1289061/best-way-to-use-php-to-encrypt-and-decrypt – Teofilo Israel Vizcaino Rodrig Oct 23 '11 at 04:13
  • 1
    @ghbarratt yeah right, wouldn't help much, apart from the fact that the intruder had to write a little script to access the database. – Anonymous Oct 23 '11 at 04:14

3 Answers3

1

If you encrypt your password your curl script will have to decrypt it to use it as the password for your PHP task.

To encrypt your password you will have to use an encryption key, also known as a password. You will need the decryption key stored so your curl script can decrypt the password used for your PHP, but now you've stored the password for decrypting the password.

This is the problem that that all DRM (DVD encryption for example) runs into -- you have to make the keys available to decrypt what you're trying to protect, and you therefore compromise security.

Your best bet to be secure is to have a driver "program" (could be a script or whatever) that interactively asks for a password and hangs onto it until it's time to run the real job (your curl script in this case) at which time the driver can supply the password.

Alternatives to be completely non-interactive are to keep the password like you are now, but maybe in a less available space than the source itself, or to use certificate authentication to negotiate a secure and trusted connection - which of course involves getting certificates from a Certificate Authority.

Security is Not Easy.

And I second the answer mentioned by Teofilo Israel Vizcaino Rodrig in the comments.

Stephen P
  • 14,422
  • 2
  • 43
  • 67
0

You can encrypt files on the server so that only certain users of the system can unencrypt them. GPG is the specific example I can think of. Here are some links for you to check out on GPG (GnuPG) file encryption:

You are always in trouble if it is the root user account that is compromised.

PS - If you are concerned about security and you are actually using FTP (instead of SFTP) I would recommend configuring your server to only allow SFTP connections.

ghbarratt
  • 11,496
  • 4
  • 41
  • 41
0

FTP is (or at least, should be) protected by a password. If someone is smart enough to get past that and get on your FTP, how can you expect to stop them getting your passwords for other things too?

In other words, you're worrying too much here, I think. As long as the password is in a file that's below web-root, you should be fine.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592