|
|
|
|
Thread title: PHP question - security |
|
|
|
|
|
Thread tools
Search this thread
Display Modes
|
|
02-05-2007, 03:55 PM
|
#1
|
Status: Designer
Join date: Aug 2006
Location: Manchester
Expertise:
Software:
Posts: 1,132
|
PHP question - security
Hi guys,
I want to create a script that goes onto a site and submits data to a remote database. This script will be readily avaiable to users, so how can i protect the password of the script?
I was thinking of an include in the php to a remote php file (starting the database connection).
Replies appreachaited.
Alex
|
|
02-05-2007, 03:58 PM
|
#2
|
Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:
Posts: 5,200
|
Oh, I understand now.
You can encrypt the password (don't use md5 or anything crackable), or yes, including a remote file might work, as long as it is chmodded to 0777.
I think Wildhoney or someone might know how to encrypt it into the file. Let's see if one of them responds.
|
|
02-05-2007, 04:04 PM
|
#3
|
Status: Dediport Hosting
Join date: Jul 2006
Location: Berkshire
Expertise: programming, business
Software: Dreamweaver
Posts: 1,316
|
Maybe use some type of encryption for example SHA1? Maybe do:
$password = 'blah';
PHP Code:
$cpassword = md5($password); // Then safer.. $spassword = sha1($cpassword);
?
|
|
02-05-2007, 04:48 PM
|
#4
|
Status: Designer
Join date: Aug 2006
Location: Manchester
Expertise:
Software:
Posts: 1,132
|
thanks to both of you,
I would love to get a secure encryption, not SHA or md5 a custom one, so I await wildhoney or someone with that talent.
though if this prevails to be hard to setup I will just enter a remote file, @andy what is 0777 on chmod? what permissions are there?
Alex
|
|
02-05-2007, 05:18 PM
|
#5
|
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
Posts: 311
|
I'm not quite sure what exactly you are trying to accomplish, but there are numerous methods that you can secure something. Most people think way too hard into it. Is your website really going to be that popular that it will attract the worlds most gifted to attack your website? Does it require the level of integrity as something such as a bank?
Using MD5 or SHA-1 while salting it with a random string should more than do the trick for your purpose I'm sure. If you're overly paranoid, just get SHA-512 installed on your server if it is not already and use that... although probably a waste of your time and completely overblown for your purpose.
|
|
02-05-2007, 05:22 PM
|
#6
|
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
Posts: 311
|
On a side note after reading what you said a second time (since I still don't quite understand what you mean) if this 'password of the script' you are referring to is the database password, simply put all of the database details (username, password, etc.) into a separate file and upload it outside of the document root directory, then include it in your file(s) that need it. Web browsers can not view files outside of the document root, however your server can still link to/process them.
|
|
02-05-2007, 05:27 PM
|
#7
|
Status: Community Archaeologist
Join date: Jul 2004
Location: Scotland
Expertise: Software Development
Software: vim, PHP
Posts: 3,820
|
Rather than allowing anyone and everyone direct access to your database, why not set up a simple web service (API) which users can tie in to. That way, you can handle all the permissions, security, authorisation, authentication, etc. Plus you'll be cool for opening up an API.
|
|
02-05-2007, 06:04 PM
|
#8
|
Status: Designer
Join date: Aug 2006
Location: Manchester
Expertise:
Software:
Posts: 1,132
|
where do I start with this API business?
If I include a php document, will the users not be able to download it, open it and then find the password?
Alex
|
|
02-05-2007, 06:27 PM
|
#9
|
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
Posts: 311
|
Originally Posted by halotree06
If I include a php document, will the users not be able to download it, open it and then find the password?
Alex
|
Correct, just ensure that the php document that contains the details is outside of the document root directory as I mentioned to you previously. That would make the file hidden to all users, but the server would still be able to link to it.
|
|
02-05-2007, 06:31 PM
|
#10
|
Status: Designer
Join date: Aug 2006
Location: Manchester
Expertise:
Software:
Posts: 1,132
|
by root directory, you mean not in public_html
|
|
|
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
|