Securing files with PHP and MySQL

I have an administrative site setup where the user has to login. The site is setup with PHP. I am wondering what is the best way to secure the files, but allow the specified users to access them and without storing a password in a database that can be seen and defeat the purpose. Is there a way to use windows authentication or does it make sense to setup a user table in mysql?
nisupportAsked:
Who is Participating?
 
sakuya_suCommented:
make sure you add a htaccess to stop directory listing as well, directory listing allows people to build a picture of your server's file structure.

And just build on what julian has said above me. Store the password in MySQL database as md5 strings, those are not reversable. eg.. once you md5("test") and get a string back that looks like jagsjkldga81823718723123, there is no way to reverse that back to test, a salted md5, last i looked, is still not hackable.

if you do md5 with password storing, then to compile the passwords, you should use a md5 on the password the user typed and compare the 2 result strings to see if they match.


PHP itself require securing, get the the latest version, and follow the security advices on the config file (php.ini), things like remote file include, allow global etc should be turned off if you want maximum security, but the problem is that this can make coding things in PHP alot more difficult.

for a more detailed read, please check out:
http://www.securityfocus.com/infocus/1706


MySQL:
You want to setup a root password definitly, for each user in your MySQL, you want to give them access to only the database they own, and you should never give them root access. Disabling access to MySQL through localhost is also recommanded by some, although that is optional.

For details, read:
http://www.securityfocus.com/infocus/1726


Last thing, you cant really not store a password and then check for that password, you can hard code the password into the script, but thats considered even less secure..
You must also make sure to sanitize everything your PHP does, this is to make sure no rogue strings can get into your scripts. For example. people can encode php or javascript code into forum posts that can then infect the forums, in those cases, a sanity check on the post before they are allowed to be inserted into the database can easily prevent those.

There are alot of things you need to take care of if you want a totally secure server.. and i dare say that its probably not possible.. it is up to you to determine just how much risk your server is in. How many people really want to spend the massive ammount of time required to hack into your server? Do you have such sensitive information? Are your servers backed up regularly?
0
 
Julian MatzJoint ChairpersonCommented:
Hi nisupport,

I would say the most effective way would be to use PHP sessions and to store the user logins in a MySQL database.

If a user session does not exist, you could redirect all users to a login page. When the user logs in, and the data is authenticated, you create a session which must then be kept alive throughout each page of the "secure" section.

A simpler way would be to create a .htaccess file, which will serve a prompt to users, requesting them to authenticate. If authentication fails, the user will receive a HTTP 401 status code (Unauthorized).
0
 
holy007Commented:
imho the mysql table is the best option here, i can say alot and reflect away from your question but that doesn't make sence so.....

I'd say:
"Go for the table"

Why?
u can alway's update it for modifications, expand it for future use and that sort of things, and if you realy want to specify the documents, then put the document names in the db as well and authenticate through your database.


Sry for my terrible english ........ /shy

Greetings,

HoLy007
0
 
nisupportAuthor Commented:
If I store the passwords in mysql, but have the files in the windows folders, how do I tie to two securities together?
0
 
holy007Commented:
only if they can authenticate you can let them see the files in the folder.

If person a has only right to see certain files then add those files to his "profile" within the database....

or create groups if you don't want to do it for every user.

Greetings,

HoLy007
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.