RE: [PHP] MySQL connection

BRACK Thu, 09 Aug 2001 12:49:01 -0700
Ohh,  I don't get any error messages, BUT if I have my php
functions not working properly I can see the sourse of php code on
my browser. If I use extention .inc for including my connection-
variables file then browser attempts to download this file which is
not better then first. I searched the net on this topic and found a
LOT of information about this problem and the best that I found is
here I just want you to be aware of this problem, play with your
server to understand my worry:

FROM: Johnny Withers
DATE: 04/30/2001 08:21:46
SUBJECT: RE:  Password security Put it in an include file, like..
dbconnect.inc
Then add this to your httpd.conf file:
<Files ~ "\.inc$">
        Order allow,deny
        Deny from all
</Files>
keeps people from downloading your .inc files.
And also, make the .inc file readable only by the web server
and no one else.
Cheers.
---------------------
Johnny Withers
<EMAIL: PROTECTED>
p. 601.853.0211
c. 601.209.4985
-----Original Message-----
From: oltra jean-michel [mailto:<EMAIL: PROTECTED>]
Sent: Monday, April 30, 2001 10:03 AM
To: Philippe Louis Houze
Cc: <EMAIL: PROTECTED>
Subject: Re: Password security
On Sun, 29 Apr 2001, Philippe Louis Houze wrote:
> Date: Sun, 29 Apr 2001 10:56:52 -0400
> From: Philippe Louis Houze <<EMAIL: PROTECTED>>
> To: <EMAIL: PROTECTED>
> Subject: Re: Password security
>
> Hi,
>
> How do you keep MySQL password out of view of "visitors" when
needed
in PHP to access the db. The password is in plain english in
all the php files, and can be easily downloaded by anyone.
>
> Philippe
>
> ex:
>
> <? mysql_connect("host", "user", "password");
>  mysql_select_db("database");
> ?>
<?
include("variables.php3");
$link = mysql_connect($db_server,$db_login,$db_password);
mysql_select_db($db,$link);
?>
and in variables.php3 file
<?
$db_server = "host";
$db_login = "user";
$db_password = "mypassword";
$db = "database";
?>
and protect include-directory with .htaccess
--
jean-michel
---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)
To request this thread, e-mail <<EMAIL: PROTECTED>>
To unsubscribe, e-mail <mysql-unsubscribe-johnny=<EMAIL:
PROTECTED>>
Trouble unsubscribing? Try:
http://lists.mysql.com/php/unsubscribe.php
---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)
To request this thread, e-mail <<EMAIL: PROTECTED>>
To unsubscribe, e-mail <mysql-unsubscribe-archiver=<EMAIL:
PROTECTED>>
Trouble unsubscribing? Try:
http://lists.mysql.com/php/unsubscribe.php

On 9 Aug 2001, at 13:04, Bjorn Van Simaeys wrote:

> Hey Youri,
>
>
> Could you let us know what file extension you use for
> you php files? And give us the exact code/error
> message you get on screen. Of course you can hide your
> username/pass with xxxxx.
>
>
> Thanks
> Bjorn Van Simaeys
> www.bvsenterprises.com
>
>
>
> --- Matthew Loff <[EMAIL PROTECTED]> wrote:
> >
> > How exactly is the username/password from the
> > mysql_connect() call shown
> > to the browser?
> >
> > I normally just get a PHP error when the db
> > connection can't be made.
> > No code is shown, just a line number.  If, in your
> > case, PHP dumps the
> > source code to the browser window when the db
> > connection won't work,
> > then something has to be wrong. :)
> >
> > --Matt
> >
> >
> > -----Original Message-----
> > From: BRACK [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, August 09, 2001 5:57 AM
> > To: Attila Strauss
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [PHP] MySQL connection
> >
> >
> > I have tested again what I said yesterday and found
> > that if I have
> > problems in PHP support in Apache then all my
> > information
> > (username and password) are seing simly on the
> > screen, so it's not
> > about dead SQL server but PHP.
> >
> > However, I went through all docs that I have on this
> > topic and found
> > that the only solution of this is to put included
> > "connect.php/inc"
> > outside of htdocs directory and configure your
> > php.ini such a way
> > that one outsider directory would be accepted and
> > only by php call.
> >
> > Hope I didn't mess up this time so you are able to
> > understand what
> > I mean... =))
> >
> > Thank you for the help anyway,  just be aware of
> > this PHP prob
> > when you pick up provider.
> >
> > Youri
> > On 8 Aug 2001, at 19:33, Attila Strauss wrote:
> >
> > > hi,
> > >
> > > there are 2 ways.
> > >
> > > 1. you hardcore the user/password in the php.ini
> > file.
> > > 2. u do a simply error checking like :
> > >
> > > <?php
> > > $connect = mysql_connect($host, $user, $pass);
> > > if(!$connect)
> > > {
> > > print "connection failed";
> > > }
> > >
> > > ?>
> > >
> > > of course you could also do like kinda
> > header("Location:
> > http://host";);  instead of print "connection
> > failed".
> > >
> > > i hope i could help you.
> > >
> > > best regards
> > > attila strauss
> > >
> > >
> > >
> > >
> > > > Hey Jouri,
> > > >
> > > >
> > > > I don't agree with this one. I tested it out on
> > my localhost and got
> >
> > > > the two error messages I told you I was going to
> > get:
> > > >
> > > > Warning: Unknown MySQL Server Host...
> > > > Warning: MySQL Connection Failed...
> > > >
> > > > No usernames/passwords. I have to say however
> > that I
> > > > always include my connect.php file. Maybe that's
> > a
> > > > secure way to connect without anyone seeing your
> > > > password in case of sqlserver problems.
> > > >
> > > >
> > > > Greetz,
> > > > Bjorn Van Simaeys
> > > > www.bvsenterprises.com
> > > >
> > > >
> > > >
> > > >
> > > > --- BRACK <[EMAIL PROTECTED]> wrote:
> > > > > If you have Apache and MySQL servers make this
> > > > > experiment -
> > > > > start Apache but "forget" to start SQL and go
> > to
> > > > > your site
> > > > > http://localhost/... you will see yourself all
> > the
> > > > > information on the
> > > > > screen.
> > > > >
> > > > > Youri
> > > > >
> > > > > On 7 Aug 2001, at 12:53, Ryan Christensen
> > wrote:
> > > > >
> > > > > > I'm curious as to how the "hacker" would see
> > all
> > > > > this information (the
> > > > > > username.. password, etc..) just by going to
> > a
> > > > > site where the SQL backend
> > > > > > was down?
> > > > > >
> > > > > > Ryan
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: BRACK [mailto:[EMAIL PROTECTED]]
> > > > > > > Sent: Tuesday, August 07, 2001 12:36 PM
> > > > > > > To: [EMAIL PROTECTED]
> > > > > > > Subject: [PHP] MySQL connection
> > > > > > >
> > > > > > >
> > > > > > > I just wanned to bring the issue of
> > security of
> > > > > MySQL connection:
> > > > > > >
> > > > > > > Let us imagine that SQL server was down
> > for some
> > > > > hours (of
> > > > > > > course without us knowing it) and at the
> > same
> > > > > hours our SQL site
> > > > > > > was visited by some kind of hacker, he can
> > s
> > > ee
> > > > > on his screen all
> > > > > > > our SQL connection info like username,
> > > > > password, and database
> > > > > > > name. You may hide this information in
> > different
> > > > > file than the file
> > > > > > > that your users open then the hacker will
> > see
> > > > > something like
> > > > > > > "include("connect.inc");" or
> > > > > "require("connect.inc");" (of course IF
> > > > > > > server is down). So you may only imagine
> > the
> > > > > consequences of
> > > > > > > this visit of the hacker. What can we do
> > to
> > > > > protect our sensitive
> > > > > > > information if SQL server is down?
> > > > > > >
> > > > > > > Youri
> > > > > > >
> > > > > > > --
> > > > > > > PHP General Mailing List
> > (http://www.php.net/)
> > > > > > > To unsubscribe, e-mail:
> > > > > [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail:
> > > > > [EMAIL PROTECTED]
> > > > > > > To contact the list administrators,
> > e-mail:
> > > > > [EMAIL PROTECTED]
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > PHP General Mailing List (http://www.php.net/)
> > > > > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > > > > For additional commands, e-mail:
> > > > > [EMAIL PROTECTED]
> > > > > To contact the list administrators, e-mail:
> > > > > [EMAIL PROTECTED]
> > > > >
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] MySQL connection

Reply via email to
