[prog] PHP script security

Diggy Bell diggy at dbsoftdev.com
Wed Aug 13 10:33:32 EST 2003


Hi Beth,

In the strictest sense, it's always a risk to embed user names and passwords
directly into scripts, but I'll be the first to admit that I do it myself
sometimes.

In a perfect world, information like this should be stored in a
configuration file that is read by your PHP app.  That file can even be
placed somewhere on the file system where it isn't accessible to the web
server, but is available to PHP.  This will ensure that someone can't
accidentally get to the file and get your username/password info.  If you
have multiple applications running, this can really make life a lot easier
for you, especially if you need to change the username or password.

Since you have the permissions locked down on the database, the user can't
do a lot to the database.  That means it's probably not a big deal to leave
the username/password in the file.  But if this is going to be a publicly
accessible site, it wouldn't hurt to be a little more safe and put them
elsewhere.

William D. 'Diggy' Bell
Principal
DB Software Development
http://www.dbsoftdev.com

----- Original Message ----- 
From: "Beth Johnson" <linux.chick at verizon.net>
To: <programming at linuxchix.org>
Sent: Wednesday, August 13, 2003 10:14 AM
Subject: [prog] PHP script security


> Hi there,
> I'm teaching myself some PHP for MySQL website integration and have a
> security question before I upload the pages.  I'm just executing a
> relatively simple query and returning the results as a html table.
>
> I've set up a restricted MySQL user for the script to invoke which has
> SELECT priviledges only for the database.  One question is, I've put the
> username and password for that restricted account in the script.  Is
> this how it's commonly done?  Is this an okay way to do this?
>
> Here's the PHP code from a page which displays the results of a race
> series where the data from the races is stored in the database.  The
> data gets sorted by age division, selecting all in a particular
> division, then sorted by total points earned in descending order.  The
> resulting page is the current standings in the race series.
> -----------------------------------
> <?php
> $user = "webuser"; /* This is a user set to read only */
> $pass = "please";
> $db = "childs2003";
> $link = mysql_pconnect( "localhost", $user, $pass );
> if ( ! $link )
> die( "Couldn't connect to MySQL." );
> mysql_select_db( $db, $link )
> or die( "Couldn't open $db: ".mysql_error() );
> /* Find name and totalpoints from master ordered by totalpoints
>    return this as the variable $result */
> $result = mysql_query( "SELECT firstname, lastname, age, totalpoints
> FROM master WHERE division='M6+Und' ORDER BY totalpoints DESC" );
> $num_rows = mysql_num_rows( $result );
> print "<table border=1>\n";
> /* This prints the headers for the columns */
> print "<tr><th>First Name</th><th>Last Name</th><th>Age</th><th>Total
> Points</th></tr>";
> /* This fetches each row of the resultset in turn and prints a tr tag
>    for each row */
> while ( $a_row = mysql_fetch_row( $result ) )
> {
> print "<tr>\n";
> foreach ( $a_row as $field )
> print "\t<td>$field</td>\n";
> print "</tr>\n";
> }
> print "</table>\n";
> mysql_close( $link );
> ?>
> --------------------------------------
>
> It's pretty basic stuff, I think, but enables me to avoid building 9
> static pages with 150 rows each once a week.  Eventually I'll have a
> form for visitors to select the division to display, instead of pages
> with a static query, but I'm having problems with forms on my test
> server.  I'll tackle that in another mail, another time!
>
> TIA!  I realize I'm very new at this, and any helpful comments are
> welcome.  I just can't get over how much work even this simple script
> will save me.
>
> regards,
> Beth
> -- 
>   /\/\    Beth Johnson
>  / o o\   Cosmic Wonderer
> ( / ^^\)  Springfield, MA USA
>  \ M_M/   "Ruling a country is like cooking a small fish--
>            you have to handle it with care."--Lao Tzu
>
>
> _______________________________________________
> Programming mailing list
> Programming at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/programming
>
>




More information about the Programming mailing list