+ Post New Thread
Results 1 to 6 of 6
Web Development Thread, Plaintext Database Access in Coding and Web Development; I keep seeing examples online where usernames and passwords are stored in plaintext using PHP script in a file such ...
  1. #1
    CAM
    CAM is offline

    CAM's Avatar
    Join Date
    Mar 2008
    Location
    Burgh Heath, Surrey
    Posts
    4,291
    Thank Post
    869
    Thanked 395 Times in 305 Posts
    Blog Entries
    60
    Rep Power
    288

    Plaintext Database Access

    I keep seeing examples online where usernames and passwords are stored in plaintext using PHP script in a file such as connection.php. Is this safe if pulling website content from a database or will potential attackers be able to read the source-code?

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,731
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    For all intense and purposes it's "generally" fine, as it's processed serverside before you see it etc. However any errors/misconfiguration blahblah it's in full view.

    aka, something not that important I wouldn't worry, something major no-no!

    Steve

  3. Thanks to Steve21 from:

    CAM (31st August 2011)

  4. #3

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,697
    Thank Post
    950
    Thanked 1,355 Times in 828 Posts
    Blog Entries
    1
    Rep Power
    451
    As a general rule you try to keep those files out of the external access dirs (aka not inside /var/www/htdocs/ for example) but its fine really as long as your sever processes the php.
    The problem can occur if you break php and then .php files would be outputted raw thus readable.
    A far far bigger security hole is poorly locked down write permitted directories tbh.

  5. Thanks to ZeroHour from:

    CAM (31st August 2011)

  6. #4
    CAM
    CAM is offline

    CAM's Avatar
    Join Date
    Mar 2008
    Location
    Burgh Heath, Surrey
    Posts
    4,291
    Thank Post
    869
    Thanked 395 Times in 305 Posts
    Blog Entries
    60
    Rep Power
    288
    So how would I fix the break PHP problem and stop people looking at it?

    I know what you mean with write directories too, learned that the hard way! Gave up with those a long time ago as they are too much hassle to secure.

  7. #5

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,697
    Thank Post
    950
    Thanked 1,355 Times in 828 Posts
    Blog Entries
    1
    Rep Power
    451
    Quote Originally Posted by CAM View Post
    So how would I fix the break PHP problem and stop people looking at it?

    I know what you mean with write directories too, learned that the hard way! Gave up with those a long time ago as they are too much hassle to secure.
    Well dont give out root/admin and be careful when patching php really. The whole php engine would have to fail but if you simply move the connections.php file for example up a few dirs to a directory not accessible from port 80 that will prevent the issue.

    Also its not that hard to secure write dirs now with a few php tweaks tbh, I did it with the edugeek server.

  8. #6

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,413
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    A recommended method is to use ini files stored outside of the webroot, and use PHP methods to parse the ini files. The reason why this is different than including PHP files outside of the webroot, is that PHP files are included and processed as PHP files. If the config file contained a syntax error, you could still run the risk of exposing the contents.

    Like what happened to Tumblr a while ago. (See here and here).

    As always, there is never one hard and fast rule, and environments do differ quite a lot

  9. 2 Thanks to webman:

    CAM (31st August 2011), ZeroHour (31st August 2011)

SHARE:
+ Post New Thread

Similar Threads

  1. Help with Access Database
    By LozWesson in forum Group Project
    Replies: 7
    Last Post: 11th July 2012, 03:33 PM
  2. Replies: 1
    Last Post: 26th April 2010, 02:56 PM
  3. Open password protected access 2007 database with ASP
    By ryan_powell in forum Web Development
    Replies: 0
    Last Post: 31st January 2008, 02:52 PM
  4. access database
    By Uraken in forum Coding
    Replies: 0
    Last Post: 11th October 2007, 11:19 AM
  5. Reading an Access database with .Net 2.0
    By Jobos in forum Web Development
    Replies: 2
    Last Post: 22nd May 2007, 09:49 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •