Is it safe to keep database password and username in config database file in live site

[eluser]Joshua Logsdon[/eluser]
Just another note on top of GnomBrother, if you want to stick to your pure php way... just make a separate constants file (similar to /application/config/constants.php) outside of www, include it at the top of your /applications/config/database.php file and then assign as necessary.

CI is pure php it just may feel a little odd to go outside of the "framework conventions mindset" to do what you need. Compared to hacking up or overriding core stuff though, this is pretty minor.

[eluser]Yorick Peterse[/eluser]
[quote author="Andrew Hull" date="1264321836"][quote author="Yorick Peterse" date="1264225918"][quote author="Andrew Hull" date="1264188623"][quote author="Yorick Peterse" date="1264039609"][quote author="GnomBrother" date="1264007875"]Yes you can do so, by including in database.php as well as you have to include database defined constants in your every controller file which communicates with database. It could be a total mess and many includes just negatively effect site performance. Is it possible to move config folder outside the www folder, if yes, what are the best ways to implement this...[/quote]

No it's not. It's simply impossible to download a PHP file's source code unless you have access to the FTP server.[/quote]

... Except of course when the web server serves it up the php content as text by mistake.... either due to a bug or mis-configuration of the web server, or an exploit being used against the server. (See here for an example http://xforce.iss.net/xforce/xfdb/7735)

In other words, its not "impossible", just highly unlikely, and therefore you should always assume it is possible, and take appropriate measures to avoid the rather obvious consequences.[/quote]

Highly, highly unlikely. Even a default configuration of Apache, Lighttpd or Nginx prevents PHP from being served as static text, unless you're configuring your server rambo style.

If your server is configured properly it's perfectly save to store passwords in .PHP files.[/quote]

Big quote full of fail

[/quote]

Great to see the trolls have arrived. First of all, the first link you posted is about storing plain text passwords in a database, not in a file (even though they're essentially the same considering databases store their info in files, but you get the point). I was talking about storing a password to connect to a database in a .PHP file, which is simply impossible to view unless you've managed to fuck up your server configuration.

By the way I represent the late Mr Mbongo who sadly passed away recently and left $1.8 trillion in his Nigerian bank account, all I need from you in order to pass on your share is your Bank account number and PIN.

Thanks for your time. The cheque is in the Post.

BTW Rambo doesn’t have time to set up my web server, he’s too busy setting up servers for major high street banks, and protecting high ranking officials laptops from prying eyes.

On a serious note though, learn how to do things securely from the outset, it worth the trouble you don’t get into in the end. You wouldn’t leave your car keys on you doormat, so why would you leave the keys to your electronic kingdom just lying about any old where?

The cyber world is full of shoddy security already, so why add to the problem? Just Google “2600” to see who is out there just itching to “test” your security. Its enough to make you whistle (at 2.6kHz of course).

One final point Yorick what version of nginx are you using http://www.securityfocus.com/bid/36384
Ohhh you should be OK, perhaps, maybe, ‘cos you are on version 0.7.64 .... or are you?

What I love about people like you is that they think that by making "funny" statements, or replies, they get karma (or kudo's, or whatever they're called). The truth is, it makes you look like an absolute douche. The nigerian bank account joke is out of place and the rambo reply doesn't make sense. Oh, and yes I'm running Nginx 0.7.64 so that security issue doesn't affect me (neither am I running one of those mentioned operating systems).

Now if you would excuse me, I have better things to do than bothering with people like you.

[eluser]Andrew Hull[/eluser]
I think you will find Joshua Logsdon gets his point across a lot more clearly ... without the personal abuse. Flame Off, Brain On.

My point, for what little it is worth is that while that particular security issue (Nginx 0.7.64 etc) might not affect you, the next one may, but by then it is too late to put the genie back in the bottle, password stolen, damage done.

For example http://www.securegoose.org/2009/11/tls-r...y-cve.html
Patched here http://nginx.org/download/patch.cve-2009-3555.txt

This does relate to Nginx 0.7.64 (but not to directly access .php code) and potentially allows a man in the middle attacker to steal passwords. Once a useful password has been obtained, the hacker may be able to crawl all over the web root, and in the process collect all of the PHP files, in one of which is your database password and user name.

cat * | grep password

Couple this with the tendancy we all have, but would never admit to, namely to use the same password for many things, and chaos will ensue. Black hat on at a jaunty angle, job done.

Yorick I dont expect you to agree, 'cos you are taking this all personally, rather than considering it logically. However while Yorick is off uprading his web server, a bit of advice for the rest of you, always keep any passwords at the very least hashed, and out of the web root.

Some of us old trolls have been doing this web thing for a very long time, sometimes we even get paid for it.

Now I am off for a quick douch, and then I think I'll go ask Rambo and the rest of the trolls to help me count my Karma points. ;¬)

[eluser]GnomBrother[/eluser]
Thanks a lot guys for your support, but i've not wanted turn it into any flame war. Of course nobody will keep any password cointained files in plain text file(better to say any .inc or whatever file ext, which is viewable);

Joshua, Yes first thing I thought was just to implement it like in pure php by including database connection constants, but all the time you also have to include it your controller as well - which I think not a great solution as your controllers may grow and you need to include it everytime.

The best solution I think, moving my application folder out of www root folder as rogierb suggested and only to change the folder root in index.php

One wondering point does it neg. effect site performance and would it be SEO Friendly when your files out of www root... ?

[eluser]Joshua Logsdon[/eluser]
Hi GnomBrother,

Just a thought from what I understand: I don't see how you would need to include it in your controller... if you have the database library autoloading, the database config should then load, your external file loads declaring your constants, you assign your constants to the database config, and now everything should work.

I don't think you will see a performance hit unless your files were physically on a different drive, etc. As long as you can get to your pages you should be fine with SEO... robots and such don't (and can't) care where your files are on the backend as long as they can be accessed and processed on the frontend.

[eluser]GnomBrother[/eluser]
Thanks Joshua!!! You've winded out all my doubts.
I've visited your site. Very clean, looks great. Has it been powered by CI?

[eluser]Joshua Logsdon[/eluser]
No problem, I hope it all works out.

LOL, the plan is to get everything up and running on CI I had time to work on the design (which of course I want to change again and that's been about it with jobs keeping me busy! I've been fortunate to work with some groups who haven't judged my work based on the state of my homepage!!!

[eluser]GnomBrother[/eluser]
Have u ever tried to build anything on Drupal? CI seems OK, but you have to code many things from scratch which is very time consuming. At the moment I am building mysite on Drupal. Maybe later I'll build something on CI.
Clean urls, funny form validation without isset or empty checks and smart database connection, but it does not have any quick admin panel. Yes you may use 3rd party things or try to create your own one , but again like coding from scratch. My impression on CI, it is like relearning PHP - new functions, another way of handling things etc. I think i close CI for a while as I do not have enough time to learn it inside out. However it gave good introduction on what MVC and Framework are...

One more thing which is killing - does not show russian words and Documentation says it is not good to use BOM.

[eluser]Joshua Logsdon[/eluser]
Yeah, Drupal, Joomla, Wordpress, etc. are definitely valid options and I've had a chance to work with them a bit before. Like you said, from the start you've got things ready to go like admin, blog-like functionality, plugins, etc. I could probably have my site running off of Drupal tomorrow

I'm lucky to not have to worry about having it up immediately, otherwise it would be a Drupal site for sure.

Similar to you, CI has been a great introduction for me. It's got me hooked on methodology... because I had to code some things from scratch (like an admin panel, more flexible cache handling, better image handling, etc.) I did a lot of research on topics and got a better understanding of the "why"s and "how"s. Now that I have a lot of things built to be reused, I'm partial to CI as a solution and for allowing me to be a student

That's unfortunate about Russian words... that's got to be a big deciding factor for you right there regardless of what framework you use.