Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 24,254
Total Threads: 80,792
Total Posts: 566,471
There are 1091 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Design and Development     Programming     PHP and MySQL :

PHP question - security

Thread title: PHP question - security
Closed Thread  
Page 1 of 5 1 2 3 4 5 >
    Thread tools Search this thread Display Modes  
02-05-2007, 03:55 PM
#1
Alex Eyre is offline Alex Eyre
Alex Eyre's Avatar
Status: Designer
Join date: Aug 2006
Location: Manchester
Expertise:
Software:
 
Posts: 1,132
iTrader: 5 / 100%
 

Alex Eyre is on a distinguished road

Send a message via MSN to Alex Eyre

  Old  PHP question - security

Hi guys,
I want to create a script that goes onto a site and submits data to a remote database. This script will be readily avaiable to users, so how can i protect the password of the script?

I was thinking of an include in the php to a remote php file (starting the database connection).

Replies appreachaited.
Alex

02-05-2007, 03:58 PM
#2
Andrew R is offline Andrew R
Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:
 
Posts: 5,200
iTrader: 17 / 95%
 

Andrew R is on a distinguished road

  Old

Oh, I understand now.

You can encrypt the password (don't use md5 or anything crackable), or yes, including a remote file might work, as long as it is chmodded to 0777.

I think Wildhoney or someone might know how to encrypt it into the file. Let's see if one of them responds.

02-05-2007, 04:04 PM
#3
localhost is offline localhost
localhost's Avatar
Status: Dediport Hosting
Join date: Jul 2006
Location: Berkshire
Expertise: programming, business
Software: Dreamweaver
 
Posts: 1,316
iTrader: 17 / 100%
 

localhost is on a distinguished road

  Old

Maybe use some type of encryption for example SHA1? Maybe do:
$password = 'blah';
PHP Code:
$cpassword md5($password);
// Then safer..
$spassword sha1($cpassword); 
?

02-05-2007, 04:48 PM
#4
Alex Eyre is offline Alex Eyre
Alex Eyre's Avatar
Status: Designer
Join date: Aug 2006
Location: Manchester
Expertise:
Software:
 
Posts: 1,132
iTrader: 5 / 100%
 

Alex Eyre is on a distinguished road

Send a message via MSN to Alex Eyre

  Old

thanks to both of you,
I would love to get a secure encryption, not SHA or md5 a custom one, so I await wildhoney or someone with that talent.
though if this prevails to be hard to setup I will just enter a remote file, @andy what is 0777 on chmod? what permissions are there?
Alex

02-05-2007, 05:18 PM
#5
Amross is offline Amross
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
 
Posts: 311
iTrader: 4 / 100%
 

Amross is on a distinguished road

  Old

I'm not quite sure what exactly you are trying to accomplish, but there are numerous methods that you can secure something. Most people think way too hard into it. Is your website really going to be that popular that it will attract the worlds most gifted to attack your website? Does it require the level of integrity as something such as a bank?

Using MD5 or SHA-1 while salting it with a random string should more than do the trick for your purpose I'm sure. If you're overly paranoid, just get SHA-512 installed on your server if it is not already and use that... although probably a waste of your time and completely overblown for your purpose.

02-05-2007, 05:22 PM
#6
Amross is offline Amross
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
 
Posts: 311
iTrader: 4 / 100%
 

Amross is on a distinguished road

  Old

On a side note after reading what you said a second time (since I still don't quite understand what you mean) if this 'password of the script' you are referring to is the database password, simply put all of the database details (username, password, etc.) into a separate file and upload it outside of the document root directory, then include it in your file(s) that need it. Web browsers can not view files outside of the document root, however your server can still link to/process them.

02-05-2007, 05:27 PM
#7
Salathe is offline Salathe
Salathe's Avatar
Status: Community Archaeologist
Join date: Jul 2004
Location: Scotland
Expertise: Software Development
Software: vim, PHP
 
Posts: 3,820
iTrader: 25 / 100%
 

Salathe will become famous soon enough

Send a message via MSN to Salathe

  Old

Rather than allowing anyone and everyone direct access to your database, why not set up a simple web service (API) which users can tie in to. That way, you can handle all the permissions, security, authorisation, authentication, etc. Plus you'll be cool for opening up an API.

02-05-2007, 06:04 PM
#8
Alex Eyre is offline Alex Eyre
Alex Eyre's Avatar
Status: Designer
Join date: Aug 2006
Location: Manchester
Expertise:
Software:
 
Posts: 1,132
iTrader: 5 / 100%
 

Alex Eyre is on a distinguished road

Send a message via MSN to Alex Eyre

  Old

where do I start with this API business?
If I include a php document, will the users not be able to download it, open it and then find the password?
Alex

02-05-2007, 06:27 PM
#9
Amross is offline Amross
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
 
Posts: 311
iTrader: 4 / 100%
 

Amross is on a distinguished road

  Old

Originally Posted by halotree06 View Post
If I include a php document, will the users not be able to download it, open it and then find the password?
Alex
Correct, just ensure that the php document that contains the details is outside of the document root directory as I mentioned to you previously. That would make the file hidden to all users, but the server would still be able to link to it.

02-05-2007, 06:31 PM
#10
Alex Eyre is offline Alex Eyre
Alex Eyre's Avatar
Status: Designer
Join date: Aug 2006
Location: Manchester
Expertise:
Software:
 
Posts: 1,132
iTrader: 5 / 100%
 

Alex Eyre is on a distinguished road

Send a message via MSN to Alex Eyre

  Old

by root directory, you mean not in public_html

Closed Thread  
Page 1 of 5 1 2 3 4 5 >


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed