The Little Guy Posted January 11, 2007 Share Posted January 11, 2007 I have a file that contains all the database connection information, how could I hide that in a safe place and only allow files within a certain folder to have access, and no sub folders unless I specify which ones. Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/ Share on other sites More sharing options...
Cep Posted January 11, 2007 Share Posted January 11, 2007 What is the file type? If its php its already hidden, php will only output code, if you tell it too. Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-158111 Share on other sites More sharing options...
The Little Guy Posted January 11, 2007 Author Share Posted January 11, 2007 well... I'm allowing people to upload files, such as php, and if they find out the name and location of the file, they could possibly get the contents of the file and hack my database. Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-158114 Share on other sites More sharing options...
Cep Posted January 11, 2007 Share Posted January 11, 2007 How are you allowing uploads? Via a script? FTP accounts? Your not making any sense.If your using FTP you can restrict where FTP users can go on your sites folder structure, this has nothing to do with PHP though its purely how you run FTP on your site.PHP scripts for uploading don't allow any kind of view of your entire folders/files structure they just simply create a copy of the uploaded file and move it from the temp directory to the destination directory set out in the script. Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-158355 Share on other sites More sharing options...
HuggieBear Posted January 11, 2007 Share Posted January 11, 2007 Firstly, It's a bad idea to allow people to upload files into the same folder as your connect page.Secondly, even if they have the name of your connect.php page, they can't view any of the details by running it as it's enclosed in PHP's tags, meaning it gets executed server side.RegardsHuggie Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-158360 Share on other sites More sharing options...
The Little Guy Posted January 11, 2007 Author Share Posted January 11, 2007 [quote author=HuggieBear link=topic=121909.msg502360#msg502360 date=1168533124]Firstly, It's a bad idea to allow people to upload files into the same folder as your connect page.[/quote]Its not in the same folder.[quote author=Cep link=topic=121909.msg502355#msg502355 date=1168532818]Via a script? FTP accounts? Your not making any sense.[/quote]I'm using a script.basically what I'm saying, is if someone found the name of the file of all the database connection information, all they would need to do is this (example):include"/connect.php";mysql_query("drop table table_name"); Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-158432 Share on other sites More sharing options...
Ninjakreborn Posted January 11, 2007 Share Posted January 11, 2007 ?Put it in a folder outside the root?ANother thing is if they are allowed to upload php file's, set chmod them so tehy cannot be executed, or automatically change hte <?php ?> tags to html entities to prevent them from running, change them back when they are needed. Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-158451 Share on other sites More sharing options...
Cep Posted January 12, 2007 Share Posted January 12, 2007 Well no you couldn't use,include"/connect.php";mysql_query("drop table table_name");Your connection script must have some sort of variable or function that stores the connection call, so without that function name or variable the above script would turn around and say "What table", "What database" and as they cannot physically view the information contained within the connect.php how are they ever going to know? Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-158937 Share on other sites More sharing options...
HuggieBear Posted January 12, 2007 Share Posted January 12, 2007 Not necessarily true... Some connect scripts actually carry out the connect itself by just including it, rather than needing to call a function within it from another script, for those that do that, a simple [i]mysql_list_tables()[/i] will get you started.RegardsHuggie Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-158961 Share on other sites More sharing options...
The Little Guy Posted January 14, 2007 Author Share Posted January 14, 2007 the database info:[code]<?php$dbHost = "localhost"; //Location Of Database usually its localhost$dbUser = "xxxxx"; //Database User Name$dbPass = "xxxxx"; //Database Password$dbDatabase = "file_host"; //Database Name$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");?>[/code]One way of how I use it:[code]<?phpinclude"db.php";$sql = mysql_query("SELECT * FROM users WHERE id='{$_SESSION['id']}'")or die(mysql_error());$row = mysql_fetch_array($sql);?>[/code] Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-160276 Share on other sites More sharing options...
corbin Posted January 14, 2007 Share Posted January 14, 2007 You could do like uhhh:[code=php:0]<?php$dbHost = "localhost"; //Location Of Database usually its localhost$dbUser = "xxxxx"; //Database User Name$dbPass = "xxxxx"; //Database Password$dbDatabase = "file_host"; //Database Namefunction dbconn($str) {if($str == "corbin345") {$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");}}?>[/code]and then on a page you use it[code=php:0]<?phpinclude"db.php";dbconn('corbin345');$sql = mysql_query("SELECT * FROM users WHERE id='{$_SESSION['id']}'")or die(mysql_error());$row = mysql_fetch_array($sql);?>[/code]That way if you called to the function and the string was incorrect it would not execute... Only problem with this is, if they can include the file they can also fopen it, which would output the raw file and they would see the 'password'.Another way you could do it would be[code=php:0]<?php$dbHost = "localhost"; //Location Of Database usually its localhost$dbUser = "xxxxx"; //Database User Name$dbPass = "xxxxx"; //Database Password$dbDatabase = "file_host"; //Database Namefunction dbconn($str) {if(!preg_match("/uploads_folder/", $_SERVER['SCRIPT_NAME'])) {$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");}}?>[/code]The only problem with that is... All the sudden someone uploads a file that has:[code=php:0]<?php$content = "<?php include('db.php'); mysql_query("DO SOMETHING BAD"); ?>";$han = fopen("../badfile.php", "w+");fwrite($han, $content);?>[/code]Then they simply go to the file they created in their browser and you're badword'dBasically, if you allow users to upload PHP files be VERY VERY VERY careful... If you do not wish for users to be able to execute them, I suggest you do as someone already said and replace all <'s and >'s with < and > or something...In my not so humble opinion, if you allow users to upload and execute PHP files, you're asking to be screwed over. Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-160290 Share on other sites More sharing options...
The Little Guy Posted January 14, 2007 Author Share Posted January 14, 2007 I was given this:[code]<?phpif(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) send_404(); $dbHost = "localhost"; //Location Of Database usually its localhost$dbUser = "xxxxx"; //Database User Name$dbPass = "xxxxx"; //Database Password$dbDatabase = "file_host"; //Database Name$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");function send_404(){ header('HTTP/1.x 404 Not Found'); print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'."\n". '<html><head>'."\n". '<title>404 Not Found</title>'."\n". '</head><body>'."\n". '<h1>Not Found</h1>'."\n". '<p>The requested URL '. str_replace(strstr($_SERVER['REQUEST_URI'], '?'), '', $_SERVER['REQUEST_URI']). ' was not found on this server.</p>'."\n". '</body></html>'."\n"; exit;}?> [/code] Quote Link to comment https://forums.phpfreaks.com/topic/33717-database-security/#findComment-160391 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.