• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
DB password security

#1
Hi everyone,

I'm developping an application who connect to an Oracle database ad then show monitoring statistics.

The problem is, I have to store passeword and user somewhere.

For the moment I encrypt/decrypt the user & pass with AES256.
That mean I have an ecryption key written in hardcode (constant).

My idea was to externalise this file (with the encrpyt key) so the futur developpers can't see the key. 
They would see only encrpyted user/password.

Have you an idea about how to do it ?
How to include an external file ?

I hope I've explained well my situation.

Thank you
Reply

#2
Future developers? You think there will be somebody else touching your code? Might as well just disconnect from the network, which is the ultimate security. Of course I'm just playing...
Reply

#3
The thing is

This application I am dooing is for my studies (diploma work), so I work in a company.
When I have finished, all my work is owned by the company and next year another studen take the project and continue it.

The problem of the "other developpers" it's that we are going to give our application to company's IT Departement to monitore their databases, they could add pages and stuff like that. But not see the codes of access (this is why the config file should be outside the application root)

I hope I am clear in my explanations.
Reply

#4
You are going to hide the code all together? What if you end up dead and no one knows the encryption key anymore.
Sure you should always put it outside the root folder so it's not accessible by a public file. But it should be available for future development. In case you are going to update it to a more modern encryption. As you stated; They own the code.

Use password_hash and password_verify for password encryption instead. It's a randomized salt so it's stored together with the password. So no one ones it.
http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/function.password-verify.php
Reply

#5
(08-23-2018, 02:52 AM)jreklund Wrote: You are going to hide the code all together? What if you end up dead and no one knows the encryption key anymore.
Sure you should always put it outside the root folder so it's not accessible by a public file. But it should be available for future development. In case you are going to update it to a more modern encryption. As you stated; They own the code.

Use password_hash and password_verify for password encryption instead. It's a randomized salt so it's stored together with the password. So no one ones it.
http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/function.password-verify.php

Not hide the code 

2 kind of people are going to work on the project

- The IT administration (add page, add form, change css and so on)
- The developpers who can modify all the containt of the projects

I would like to externalise the config file out of the root, so the IT guys cannot see it (only the developpers)
Reply

#6
Then you can use use a require('file_path/config.php'); and place it outside of the public_html folder. Just to be sure it's not accessible from the GUI.

It's recommended to move application and system folder too. These settings are inside the index.php file.
https://www.codeigniter.com/userguide3/g..._apps.html
Reply

#7
Hi,

How about just using some Apache directives to change the document root eg.. 
Code:
DocumentRoot "{DOCROOT}/public"

Then move your index.php file to the public folder
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.