RE: [PHP-DB] hiding db password
Thank you all for your suggestions. I created a hidden file one level above my root directory with significant owner/group permissions that it would be extremely difficult to detect. Looks and works great. Thanks. Helen Sallee VIS Database Administrator -Original Message- From: Brent Baisley [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 10:44 AM To: Sallee, Helen Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] hiding db password I place all my access info in it's own directory that is not directly accessible via the web. I usually place this on the same level as the CGI directory, which is also not directly accessible. Typically this is one level up from your site directory. If the php module breaks, then includes and requires won't work so your passwords won't be seen. /path/to/site/ /path/to/accessfile/ /path/to/cgi/ You do have to specify the directory as an "include_path" for php. On Thursday, June 12, 2003, at 10:31 AM, Sallee, Helen wrote: > Hi, I'm new to PHP and need to know how I can completely hide Oracle > database password used in OCILogon call. Since all .php pages can be > read by www user, if the userid and password are coded in the .php > page, they anyone can fopen this file and view the contents (right?) - > this presents a security problem. So how can I have a database > connection which is secure? Or am I missing something in here? > -- Brent Baisley Systems Architect Landover Associates, Inc. Search & Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] hiding db password
I place all my access info in it's own directory that is not directly accessible via the web. I usually place this on the same level as the CGI directory, which is also not directly accessible. Typically this is one level up from your site directory. If the php module breaks, then includes and requires won't work so your passwords won't be seen. /path/to/site/ /path/to/accessfile/ /path/to/cgi/ You do have to specify the directory as an "include_path" for php. On Thursday, June 12, 2003, at 10:31 AM, Sallee, Helen wrote: Hi, I'm new to PHP and need to know how I can completely hide Oracle database password used in OCILogon call. Since all .php pages can be read by www user, if the userid and password are coded in the .php page, they anyone can fopen this file and view the contents (right?) - this presents a security problem. So how can I have a database connection which is secure? Or am I missing something in here? -- Brent Baisley Systems Architect Landover Associates, Inc. Search & Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] hiding db password
on 12/6/03 3:48 pm, CPT John W. Holmes at [EMAIL PROTECTED] wrote: > From a web server perspective, though, this is > "safer" because if the web server ever broke and started serving PHP pages > as plain text (been there, done that), then at least no one can get to your > include file through your web server. That is what I meant by more secure. Putting files below webroot prevents webusers from getting at them. -- Mike Karthauser Managing Director - Brightstorm Ltd Email >> [EMAIL PROTECTED] Web >> http://www.brightstorm.co.uk Tel >> 0117 9426653 (office) 07939 252144 (mobile) Snailmail >> Unit 8, 14 King Square, Bristol BS2 8JJ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] hiding db password
> > > putenv("TWO_TASK=ORCL2"); > > putenv("ORACLE_HOME=/u01/home/oracle/product/9.2.0"); > > $conn = OCILogon("USER1","USER1PASS"); > > $query = OCIParse($conn,"select * from state"); > > OCIExecute($query); > > ?> > > > > Thank you > > Use an include file buried below your site root with > > $user=USER1; > $pass=USER1PASS; > > Then you should be able to do: > > Include"/path/to/pass.inc.php"; > > $conn = OCILogon("$user","$pass"); > > Which is more secure. Be careful when you say something is "more secure". From a file system perspective, this method is no different from putting the username/password in the regular PHP file. From a web server perspective, though, this is "safer" because if the web server ever broke and started serving PHP pages as plain text (been there, done that), then at least no one can get to your include file through your web server. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] hiding db password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le Jeudi 12 Juin 2003 16:38, mike karthauser a écrit : > Then you should be able to do: > > Include"/path/to/pass.inc.php"; > > $conn = OCILogon("$user","$pass"); > > Which is more secure. I prefer user require_once mort than include for security reasons. You can also implement security function like crypto for the connexion, etc.. But i am thinking the real security problem is the system and the network... friendly, - -- Christophe Casalegno | Digital Network | UIN : 153305055 http://www.digital-network.net | http://www.speed-connect.com http://www.securite-reseaux.com | http://www.dnsi.info Security engineer network/systems | Intrusion tests specialist. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+6I680mOixX2DR8IRAprXAJ9yJCHgx++REy+jfDBD1KTO0QhUVwCcD1hv lUQRpfuUWz3YMJdCvMfRCpk= =WB6u -END PGP SIGNATURE- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] hiding db password
on 12/6/03 3:31 pm, Sallee, Helen at [EMAIL PROTECTED] wrote: > putenv("TWO_TASK=ORCL2"); > putenv("ORACLE_HOME=/u01/home/oracle/product/9.2.0"); > $conn = OCILogon("USER1","USER1PASS"); > $query = OCIParse($conn,"select * from state"); > OCIExecute($query); > ?> > > Thank you Use an include file buried below your site root with $user=USER1; $pass=USER1PASS; Then you should be able to do: Include"/path/to/pass.inc.php"; $conn = OCILogon("$user","$pass"); Which is more secure. -- Mike Karthauser Managing Director - Brightstorm Ltd Email >> [EMAIL PROTECTED] Web >> http://www.brightstorm.co.uk Tel >> 0117 9426653 (office) 07939 252144 (mobile) Snailmail >> Unit 8, 14 King Square, Bristol BS2 8JJ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] hiding db password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le Jeudi 12 Juin 2003 16:31, Sallee, Helen a écrit : > Hi, I'm new to PHP and need to know how I can completely hide Oracle > database password used in OCILogon call. Since all .php pages can be read > by www user, if the userid and password are coded in the .php page, they > anyone can fopen this file and view the contents (right?) - this presents a > security problem. So how can I have a database connection which is secure? > Or am I missing something in here? The code below is what I have. > > putenv("TWO_TASK=ORCL2"); > putenv("ORACLE_HOME=/u01/home/oracle/product/9.2.0"); > $conn = OCILogon("USER1","USER1PASS"); > $query = OCIParse($conn,"select * from state"); > OCIExecute($query); > ?> > > Thank you Just put the good permission and uid/gid ton your script for solve your problem. for example php un suexec/cgi mode with apache patched for suexec, User toto group users, with a 705 chmod... You can also more secure the environnement with a kernel patche like grsecurity and access lists. friendly, - -- Christophe Casalegno | Digital Network | UIN : 153305055 http://www.digital-network.net | http://www.speed-connect.com http://www.securite-reseaux.com | http://www.dnsi.info Security engineer network/systems | Intrusion tests specialist. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+6IzU0mOixX2DR8IRAnGHAJ47Dk50xAzeoTn7CxH31FpHvUC3xgCeMXqB KAcM5gm3dvq/9l2Y6Iss3UI= =fiK4 -END PGP SIGNATURE- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php