enveetee Posted March 14, 2015 Share Posted March 14, 2015 OK, so my application is now in the Beta phase and I am rolling it out to some tame customers. I am using justhost.com for hosting using a standard Business Pro package Each one of my PHP scripts has an required_once to a PHP include which contains the MySQL login name and password details. Obviously if anyone gains access to this the game is over. Where is the best place to keep this file (I have it in ../includes) How do I stop anyone from seeing the contents Thanks Quote Link to comment https://forums.phpfreaks.com/topic/295219-mysql-login-credentials-where-to-store-them-how-to-prevent-discovery/ Share on other sites More sharing options...
mac_gyver Posted March 14, 2015 Share Posted March 14, 2015 if you are asking about visitors to a site being able to see the raw contents of a .php file, they cannot, since browsing to the file will only show any output from that file. it would require that you have code that's echoing the variables/defined constants holding the database credentials or that your site provided a way for someone to display/download the raw contents of a file on your site, such as by not validating the path and filename being supplied (all external data cannot be trusted and must be validated before use) to a download script or a page controller/template engine that reads the contents of a file and then outputs the content on a page... in the rare event that php on a server ever gets broken and outputs the raw content of .php files or you are using php's short open tags and they get turned off (full opening php tags cannot get turned off), the best place to put ALL included/required files is in a folder that's outside of/below/closer to the disk root folder from your htdocs folder so that they cannot possibly be browsed to. or that your site allows a .php code file to be uploaded onto the server and then browsed to (uploaded files should be placed into a folder that cannot be browsed to) or allows php code to be saved as content that's eval()'ed (using eval() should be avoided unless you know exactly what content is being supplied to it) on the server or allows an external file to be included (the settings that allow this should be turned off) and ran on your server, which would allow someone to run their own php code on your server, which would allow them to take over your site and have access to all of the files anyways. Quote Link to comment https://forums.phpfreaks.com/topic/295219-mysql-login-credentials-where-to-store-them-how-to-prevent-discovery/#findComment-1508047 Share on other sites More sharing options...
enveetee Posted March 15, 2015 Author Share Posted March 15, 2015 Mac_gyver - thanks, very enlightening. The solution seems to be to keep sensitive files (MySQL credentials and raw uploaded files) in a folder which the server cannot access so now the question becomes: How do I access files outside of the server web root? public_html/ /phpfiles /includes /docs /script /other /sensitivefiles <<<<< (my php scripts need access to the contents of this folder but a browser cannot gain access) Cheers Quote Link to comment https://forums.phpfreaks.com/topic/295219-mysql-login-credentials-where-to-store-them-how-to-prevent-discovery/#findComment-1508102 Share on other sites More sharing options...
Ch0cu3r Posted March 15, 2015 Share Posted March 15, 2015 How do I access files outside of the server web root? By using a relative or absolute file path when including the file eg include '../sensitivefiles/db.php'; // relative path include '/home/enveete/yoursite.com/sensitivefiles/db.php'; // absolute path An alternative way would be to add that directory to the include path PHP use file paths to access files not urls. So PHP is not restricted from accessing files outside of the public html folder. PHP can access any file on the sever so long as file permissions allow it to. Quote Link to comment https://forums.phpfreaks.com/topic/295219-mysql-login-credentials-where-to-store-them-how-to-prevent-discovery/#findComment-1508114 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.