• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Is it safe to keep database password and username in config database file in live site

#1
[eluser]GnomBrother[/eluser]
In pure php we define constants for database password and put outside www folder. We just bring it into www by "include" php function.

Here in CI, we write in database.php and database.php stays in www. Someone can download whole site by special programs and view database.php.

Is it secure to keep database passwords in database.php?

#2
[eluser]Colin Williams[/eluser]
Well, you can put that code anywhere you want on your server. If you know how include(), et. al., works, I'm sure you can figure out how to put sensitive code outside of public folders.

Also, what's the difference between "pure PHP" and CodeIgniter? I haven't found any tainted PHP in CI yet...

#3
[eluser]Wuushu[/eluser]
[quote author="GnomBrother" date="1264007335"]Someone can download whole site by special programs and view database.php.[/quote]

No, they can't. Unless they have FTP/SSH access to your server - in which case you have more to worry about than exposing your database password.

#4
[eluser]GnomBrother[/eluser]
Yes you can do so, by including in database.php as well as you have to include database defined constants in your every controller file which communicates with database. It could be a total mess and many includes just negatively effect site performance. Is it possible to move config folder outside the www folder, if yes, what are the best ways to implement this...

#5
[eluser]rogierb[/eluser]
In CI you can move the entire system and application folder outside the www-root.

My setup
system
app_1
app_2
www-root
--assets
downloads

Just use the appropriate folders in your index.php et voila.

#6
[eluser]n0xie[/eluser]
It is common practice to move the application folder as well as the system out of the system root. Arguable, this is a must on a Live server.

#7
[eluser]Yorick Peterse[/eluser]
[quote author="GnomBrother" date="1264007875"]Yes you can do so, by including in database.php as well as you have to include database defined constants in your every controller file which communicates with database. It could be a total mess and many includes just negatively effect site performance. Is it possible to move config folder outside the www folder, if yes, what are the best ways to implement this...[/quote]

No it's not. It's simply impossible to download a PHP file's source code unless you have access to the FTP server.

#8
[eluser]Andrew Hull[/eluser]
[quote author="Yorick Peterse" date="1264039609"][quote author="GnomBrother" date="1264007875"]Yes you can do so, by including in database.php as well as you have to include database defined constants in your every controller file which communicates with database. It could be a total mess and many includes just negatively effect site performance. Is it possible to move config folder outside the www folder, if yes, what are the best ways to implement this...[/quote]

No it's not. It's simply impossible to download a PHP file's source code unless you have access to the FTP server.[/quote]

... Except of course when the web server serves it up the php content as text by mistake.... either due to a bug or mis-configuration of the web server, or an exploit being used against the server. (See here for an example http://xforce.iss.net/xforce/xfdb/7735)

In other words, its not "impossible", just highly unlikely, and therefore you should always assume it is possible, and take appropriate measures to avoid the rather obvious consequences.

#9
[eluser]Yorick Peterse[/eluser]
[quote author="Andrew Hull" date="1264188623"][quote author="Yorick Peterse" date="1264039609"][quote author="GnomBrother" date="1264007875"]Yes you can do so, by including in database.php as well as you have to include database defined constants in your every controller file which communicates with database. It could be a total mess and many includes just negatively effect site performance. Is it possible to move config folder outside the www folder, if yes, what are the best ways to implement this...[/quote]

No it's not. It's simply impossible to download a PHP file's source code unless you have access to the FTP server.[/quote]

... Except of course when the web server serves it up the php content as text by mistake.... either due to a bug or mis-configuration of the web server, or an exploit being used against the server. (See here for an example http://xforce.iss.net/xforce/xfdb/7735)

In other words, its not "impossible", just highly unlikely, and therefore you should always assume it is possible, and take appropriate measures to avoid the rather obvious consequences.[/quote]

Highly, highly unlikely. Even a default configuration of Apache, Lighttpd or Nginx prevents PHP from being served as static text, unless you're configuring your server rambo style.

If your server is configured properly it's perfectly save to store passwords in .PHP files.

#10
[eluser]Andrew Hull[/eluser]
[quote author="Yorick Peterse" date="1264225918"][quote author="Andrew Hull" date="1264188623"][quote author="Yorick Peterse" date="1264039609"][quote author="GnomBrother" date="1264007875"]Yes you can do so, by including in database.php as well as you have to include database defined constants in your every controller file which communicates with database. It could be a total mess and many includes just negatively effect site performance. Is it possible to move config folder outside the www folder, if yes, what are the best ways to implement this...[/quote]

No it's not. It's simply impossible to download a PHP file's source code unless you have access to the FTP server.[/quote]

... Except of course when the web server serves it up the php content as text by mistake.... either due to a bug or mis-configuration of the web server, or an exploit being used against the server. (See here for an example http://xforce.iss.net/xforce/xfdb/7735)

In other words, its not "impossible", just highly unlikely, and therefore you should always assume it is possible, and take appropriate measures to avoid the rather obvious consequences.[/quote]

Highly, highly unlikely. Even a default configuration of Apache, Lighttpd or Nginx prevents PHP from being served as static text, unless you're configuring your server rambo style.

If your server is configured properly it's perfectly save to store passwords in .PHP files.[/quote]

I agree, highly unlikely. Why not put your bank account details in there too, and you credit card pin. After all what right minded hacker would ever think to look for a clear text password in a clear text file.

Take a look here for another example of why keeping passwords in plain text is always a VERY bad idea.

http://blog.moertel.com/articles/2006/12...a-database

and here for more info

http://en.wikipedia.org/wiki/Password_cracking

By the way I represent the late Mr Mbongo who sadly passed away recently and left $1.8 trillion in his Nigerian bank account, all I need from you in order to pass on your share is your Bank account number and PIN.

Thanks for your time. The cheque is in the Post.

BTW Rambo doesn't have time to set up my web server, he's too busy setting up servers for major high street banks, and protecting high ranking officials laptops from prying eyes.

On a serious note though, learn how to do things securely from the outset, it worth the trouble you don't get into in the end. You wouldn't leave your car keys on you doormat, so why would you leave the keys to your electronic kingdom just lying about any old where?

The cyber world is full of shoddy security already, so why add to the problem? Just Google "2600" to see who is out there just itching to "test" your security. Its enough to make you whistle (at 2.6kHz of course).

One final point Yorick what version of nginx are you using http://www.securityfocus.com/bid/36384
Ohhh you should be OK, perhaps, maybe, 'cos you are on version 0.7.64 .... or are you?


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.