PHP Coding
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me



Go Back   Codewalkers ForumsPHP RelatedPHP Coding

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Codewalkers Forums Sponsor:
Old January 19th, 2013, 03:47 AM
theabsentcoder theabsentcoder is offline
Registered User
Codewalkers Newbie (0 - 499 posts)
 
Join Date: Jan 2013
Posts: 3 theabsentcoder User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 31 m 14 sec
Reputation Power: 0
php5 - Keeping local site secure

Good Day!

I currently have a local apache/mysql/php set up which can be access by other members at work.

Each of my pages - phpfunctions.php - requires a file which contains the full database login details as part of a session - including the password, etc.

So at present any user could in effect log onto my machine remotely, and then access the htdocs and view that file, thus seeing the password to the database.

What would be the best way to encrypt this. Im thinking along the lines of storing that particular file within a secure folder, and only those with permissions can access.

Is there another way?

Thank you..

Reply With Quote
Old January 22nd, 2013, 07:32 AM
theabsentcoder theabsentcoder is offline
Registered User
Codewalkers Newbie (0 - 499 posts)
 
Join Date: Jan 2013
Posts: 3 theabsentcoder User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 31 m 14 sec
Reputation Power: 0
Anybody?!?

Quote:
Originally Posted by theabsentcoder
Good Day!

I currently have a local apache/mysql/php set up which can be access by other members at work.

Each of my pages - phpfunctions.php - requires a file which contains the full database login details as part of a session - including the password, etc.

So at present any user could in effect log onto my machine remotely, and then access the htdocs and view that file, thus seeing the password to the database.

What would be the best way to encrypt this. Im thinking along the lines of storing that particular file within a secure folder, and only those with permissions can access.

Is there another way?

Thank you..

Reply With Quote
Old January 23rd, 2013, 04:58 AM
DavidMR's Avatar
DavidMR DavidMR is offline
Contributing User
Codewalkers Beginner (1000 - 1499 posts)
 
Join Date: Apr 2007
Location: Galway
Posts: 1,437 DavidMR User rank is Lance Corporal (50 - 100 Reputation Level)DavidMR User rank is Lance Corporal (50 - 100 Reputation Level)DavidMR User rank is Lance Corporal (50 - 100 Reputation Level) 
Time spent in forums: 1 Month 3 Days 20 h 56 m 48 sec
Reputation Power: 9
Storing passwords in plain text should never be done. Hashing a password with salt is an idea.

PHP Code:
 $salt "randombitofstring";
$check_password sha1($password_given $salt); 


you would then compare the password above with the one that is saved in the database.

Once the session is maintained throughout the script flow using session_start() you should be able to verify the password whenever you want.
__________________
When I die, I want to go peacefully like my Grandfather did, in his sleep -- not screaming, like the passengers in his car.

Reply With Quote
Old January 23rd, 2013, 02:35 PM
IAmALlama IAmALlama is offline
Me
Click here for more information
 
Join Date: Apr 2007
Location: San Diego, CA
Posts: 2,290 IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level)IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level)IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level) 
Time spent in forums: 2 Weeks 1 Day 11 h 27 m 17 sec
Reputation Power: 10
Quote:
Originally Posted by DavidMR
Storing passwords in plain text should never be done. Hashing a password with salt is an idea.

PHP Code:
 $salt "randombitofstring";
$check_password sha1($password_given $salt); 


you would then compare the password above with the one that is saved in the database.

Once the session is maintained throughout the script flow using session_start() you should be able to verify the password whenever you want.

Problem is, its the database password he wants to hide.

As for a solution, there really isn't one. If someone can access your computer to get the database password, then if you encrypt the password, they can also access the key/method to decrypt the password. If you obfuscate that, chances are they can just write a php script that uses your decrypt method and echo out the password, put it in the document root and run the script. All methods would take a matter of minutes to perform a decrypt.

Your best bet is to just rely on the permissions of your computer system for this. You should restrict permissions of the full document root to be only read/write by yourself and read by the webserver user. this will prevent anyone but yourself from being able to even view the files and stop anyone else from just creating a script and gaining access to your system as what is most likely a locally privileged/elevated account that the webserver is running under.

If you don't block the document root from being at least written to by other users, then no protection will work. You need some way to decrypt the password in your code to connect to the database. Someone could just create a script that says "echo $DB_Password;" copy it to the document root and open the page.
Comments on this post
MatthewJ agrees: Any security that can be put in place is negated by the ability to physically breach the computer.

Last edited by IAmALlama : January 23rd, 2013 at 02:39 PM.

Reply With Quote
Old January 27th, 2013, 06:26 AM
theabsentcoder theabsentcoder is offline
Registered User
Codewalkers Newbie (0 - 499 posts)
 
Join Date: Jan 2013
Posts: 3 theabsentcoder User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 31 m 14 sec
Reputation Power: 0
Nice one.. I think local folder permissions might be the way - however I'll take a look at hashing to improve my knowledge. It may be that added bit of security that could be outside of reach of the casual database viewer...

Cheers

Reply With Quote
Old January 28th, 2013, 07:40 PM
IAmALlama IAmALlama is offline
Me
Click here for more information
 
Join Date: Apr 2007
Location: San Diego, CA
Posts: 2,290 IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level)IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level)IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level) 
Time spent in forums: 2 Weeks 1 Day 11 h 27 m 17 sec
Reputation Power: 10
hashing won't help you with the database credentials. Hashing is kind of like one way encryption. Given a hashed string, no one should be able to "decrypt" it back into the original string. So for example if you saw "3517f3f0507c91715cf61110873ed45aa519a6e31aabf4fcad 5fa2fda0bb8153" somewhere, you would have no idea what that is. It is the sha256 hash of "p@ssW0r|)". The point of one way hashing like this is that every time I do a sha256 of "p@ssW0r|)" I get the same "3517f3f0507c91715cf61110873ed45aa519a6e31aabf4fcad 5fa2fda0bb8153" string. Also if you make a simple change, such as adding a 1 at the end, you get a completely different string that in no way resembles the first string "0cddbdcd0217c27b14fc38681a5a9c7d48788348530ea17dfa 554e36d8b57d11" is "p@ssW0r|)1". And once again no matter how many times I sha256("p@ssW0r|)1") I get "0cddbdcd0217c27b14fc38681a5a9c7d48788348530ea17dfa 554e36d8b57d11". So how hashing works, is I store "0cddbdcd0217c27b14fc38681a5a9c7d48788348530ea17dfa 554e36d8b57d11" in my database and when someone types in their password to login I run it through sha256 and get that hash then compare the hash with what I have stored in the database. If they match, then I can be sure that they typed in the same password.

Now, the reason this won't help you with the database credentials is that the database expects the un-hashed string. hashing it will not let you login to the database and given the hashed string you can not get the un-hashed string to pass to the database as it expects.

However, if you are accepting registration where you have people enter user/pass to login, you NEED to be doing hashing or else you will run into trouble.

Reply With Quote
Old January 29th, 2013, 12:50 AM
rbrown rbrown is offline
Contributing User
Codewalkers Newbie (0 - 499 posts)
 
Join Date: Apr 2007
Posts: 139 rbrown User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 Days 12 h 8 m 5 sec
Reputation Power: 8
You didn't mention how they exactly have access...

1) Physical access to the server (don't let them)

2) Network access (Don't share the folders)
Or if you have people working on the files then you need to only allow the ones you trust access to the files. Because they will have full run of the machine and can run any code to dump any or all the variables.

3) Intranet /internet access only. (put the files below web root and include them. Or add a function like this and in each files you don't want to be accessed directly. And make sure your errors are turned off. And don't be including the db un/pw in a session variable.

PHP Code:
 Put this in your functions....

function 
File_Locker($input) {
    if (
$input == basename($_SERVER['SCRIPT_FILENAME'])) {
        die (
'
        <html>
        <head>
        <style>
        body {margin: 0; padding: 0;background-color:yellow; color:red}
        </style>
        </head>
        <body>
        <center>
        <h2>Silly Rabbit!<br>TRIX are for kids!<br>Direct File Access Prohibited!</h2>
        </center>
        </body>
        </html>
        '
);
    }
}

add this line to your included files but not in your web pages...
File_Locker(basename(__FILE__)); 
__________________
Bob

Reply With Quote
Reply

Viewing: Codewalkers ForumsPHP RelatedPHP Coding > php5 - Keeping local site secure


Developer Shed Advertisers and Affiliates


Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump


Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 


Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

© 2003-2014 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap