Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MYSQL and PHP

from [Jason Ross] Network Security [Permanent Link]
Subject: Re: MYSQL and PHP
Date: Mon, 15 May 2006 20:58:55 -0400
On 5/15/06, John Madden <chiwawa999@yahoo.com> wrote: 
Is it standard to use INC files to store MYSQL db
connections settings (username and password)?


Yes, it is very common.


What else could you do to make this "safer" ? 

If done correctly, there's nothing wrong (imo) with using an include
file. "Correctly" generally means at least the following:

  - the include file is in a directory that is *not* accessable to
the web server
  - the file has permissions at the file system lever such that only
the appropriate user(s) are able to read it (on a unix box I typically
set them to `chmod 0750` where the group is the webserver group and
the user is set to the owner of the file ... and arguably the
executable bit is not even needed for the owner)

PHP is file system aware, so files which are included do not need to
be in a directory the web server is serving to the internet. This is
one reason why putting db login and other sensitive information in one
(rather than in the script which is being executed by the server and
displayed to the browser) is a good idea.


I presume Apache looks for files with extention
"*.INC" and does not processes them, right ?


IIRC, by default apache will server anything it is not configured for
(or able to determine using the mime-magic module) with a mime type
"text/plain". This would mean that the .inc file is likely to be
served up as a plain text file if it is in a web accessable directory.

One practice I've seen is to name the file <foo>.inc.php which forces
the script to be passed to PHP for parsing. This may help (presuming
PHP is correctly installed and configured for the server), but it is
much better to simply not allow the web server to serve up the include
file to the browser (I tend to do both things).

--
Jason Ross
GPG key: 0xF80C38B6

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MYSQL and PHP, Gerald Quakenbush
Next by Date:  Re: MYSQL and PHP, KlientÅ aptarnavimas
Previous by Thread:  Re: MYSQL and PHP, Reid Nichol
Next by Thread:  Re: MYSQL and PHP, KlientÅ aptarnavimas
Indexes:  [Date] [Thread] [Top] [All Lists]