[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Securing files with PHP and MySQL

Posted on 2007-08-06
5
Medium Priority
?
316 Views
Last Modified: 2013-12-13
I have an administrative site setup where the user has to login. The site is setup with PHP. I am wondering what is the best way to secure the files, but allow the specified users to access them and without storing a password in a database that can be seen and defeat the purpose. Is there a way to use windows authentication or does it make sense to setup a user table in mysql?
0
Comment
Question by:nisupport
5 Comments
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 400 total points
ID: 19643228
Hi nisupport,

I would say the most effective way would be to use PHP sessions and to store the user logins in a MySQL database.

If a user session does not exist, you could redirect all users to a login page. When the user logs in, and the data is authenticated, you create a session which must then be kept alive throughout each page of the "secure" section.

A simpler way would be to create a .htaccess file, which will serve a prompt to users, requesting them to authenticate. If authentication fails, the user will receive a HTTP 401 status code (Unauthorized).
0
 
LVL 10

Accepted Solution

by:
sakuya_su earned 800 total points
ID: 19643411
make sure you add a htaccess to stop directory listing as well, directory listing allows people to build a picture of your server's file structure.

And just build on what julian has said above me. Store the password in MySQL database as md5 strings, those are not reversable. eg.. once you md5("test") and get a string back that looks like jagsjkldga81823718723123, there is no way to reverse that back to test, a salted md5, last i looked, is still not hackable.

if you do md5 with password storing, then to compile the passwords, you should use a md5 on the password the user typed and compare the 2 result strings to see if they match.


PHP itself require securing, get the the latest version, and follow the security advices on the config file (php.ini), things like remote file include, allow global etc should be turned off if you want maximum security, but the problem is that this can make coding things in PHP alot more difficult.

for a more detailed read, please check out:
http://www.securityfocus.com/infocus/1706


MySQL:
You want to setup a root password definitly, for each user in your MySQL, you want to give them access to only the database they own, and you should never give them root access. Disabling access to MySQL through localhost is also recommanded by some, although that is optional.

For details, read:
http://www.securityfocus.com/infocus/1726


Last thing, you cant really not store a password and then check for that password, you can hard code the password into the script, but thats considered even less secure..
You must also make sure to sanitize everything your PHP does, this is to make sure no rogue strings can get into your scripts. For example. people can encode php or javascript code into forum posts that can then infect the forums, in those cases, a sanity check on the post before they are allowed to be inserted into the database can easily prevent those.

There are alot of things you need to take care of if you want a totally secure server.. and i dare say that its probably not possible.. it is up to you to determine just how much risk your server is in. How many people really want to spend the massive ammount of time required to hack into your server? Do you have such sensitive information? Are your servers backed up regularly?
0
 
LVL 3

Expert Comment

by:holy007
ID: 19643895
imho the mysql table is the best option here, i can say alot and reflect away from your question but that doesn't make sence so.....

I'd say:
"Go for the table"

Why?
u can alway's update it for modifications, expand it for future use and that sort of things, and if you realy want to specify the documents, then put the document names in the db as well and authenticate through your database.


Sry for my terrible english ........ /shy

Greetings,

HoLy007
0
 

Author Comment

by:nisupport
ID: 19645702
If I store the passwords in mysql, but have the files in the windows folders, how do I tie to two securities together?
0
 
LVL 3

Assisted Solution

by:holy007
holy007 earned 800 total points
ID: 19645835
only if they can authenticate you can let them see the files in the folder.

If person a has only right to see certain files then add those files to his "profile" within the database....

or create groups if you don't want to do it for every user.

Greetings,

HoLy007
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller singl…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses
Course of the Month18 days, 14 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question