Web Development Thread, Plaintext Database Access in Coding and Web Development; I keep seeing examples online where usernames and passwords are stored in plaintext using PHP script in a file such ...
31st August 2011, 01:13 PM #1
Plaintext Database Access
I keep seeing examples online where usernames and passwords are stored in plaintext using PHP script in a file such as connection.php. Is this safe if pulling website content from a database or will potential attackers be able to read the source-code?
31st August 2011, 01:17 PM #2
For all intense and purposes it's "generally" fine, as it's processed serverside before you see it etc. However any errors/misconfiguration blahblah it's in full view.
aka, something not that important I wouldn't worry, something major no-no!
31st August 2011, 01:24 PM #3
As a general rule you try to keep those files out of the external access dirs (aka not inside /var/www/htdocs/ for example) but its fine really as long as your sever processes the php.
The problem can occur if you break php and then .php files would be outputted raw thus readable.
A far far bigger security hole is poorly locked down write permitted directories tbh.
31st August 2011, 01:39 PM #4
So how would I fix the break PHP problem and stop people looking at it?
I know what you mean with write directories too, learned that the hard way! Gave up with those a long time ago as they are too much hassle to secure.
31st August 2011, 01:42 PM #5
Well dont give out root/admin and be careful when patching php really. The whole php engine would have to fail but if you simply move the connections.php file for example up a few dirs to a directory not accessible from port 80 that will prevent the issue.
Originally Posted by CAM
Also its not that hard to secure write dirs now with a few php tweaks tbh, I did it with the edugeek server.
31st August 2011, 02:37 PM #6
A recommended method is to use ini files stored outside of the webroot, and use PHP methods to parse the ini files. The reason why this is different than including PHP files outside of the webroot, is that PHP files are included and processed as PHP files. If the config file contained a syntax error, you could still run the risk of exposing the contents.
Like what happened to Tumblr a while ago. (See here and here).
As always, there is never one hard and fast rule, and environments do differ quite a lot
2 Thanks to webman:
CAM (31st August 2011), ZeroHour (31st August 2011)
By LozWesson in forum Group Project
Last Post: 11th July 2012, 03:33 PM
By sidewinder in forum Windows
Last Post: 26th April 2010, 02:56 PM
By ryan_powell in forum Web Development
Last Post: 31st January 2008, 02:52 PM
By Uraken in forum Coding
Last Post: 11th October 2007, 11:19 AM
By Jobos in forum Web Development
Last Post: 22nd May 2007, 09:49 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)