Securing files with PHP and MySQL

Posted on 2007-08-06
Last Modified: 2013-12-13
I have an administrative site setup where the user has to login. The site is setup with PHP. I am wondering what is the best way to secure the files, but allow the specified users to access them and without storing a password in a database that can be seen and defeat the purpose. Is there a way to use windows authentication or does it make sense to setup a user table in mysql?
Question by:nisupport
    LVL 21

    Assisted Solution

    by:Julian Matz
    Hi nisupport,

    I would say the most effective way would be to use PHP sessions and to store the user logins in a MySQL database.

    If a user session does not exist, you could redirect all users to a login page. When the user logs in, and the data is authenticated, you create a session which must then be kept alive throughout each page of the "secure" section.

    A simpler way would be to create a .htaccess file, which will serve a prompt to users, requesting them to authenticate. If authentication fails, the user will receive a HTTP 401 status code (Unauthorized).
    LVL 10

    Accepted Solution

    make sure you add a htaccess to stop directory listing as well, directory listing allows people to build a picture of your server's file structure.

    And just build on what julian has said above me. Store the password in MySQL database as md5 strings, those are not reversable. eg.. once you md5("test") and get a string back that looks like jagsjkldga81823718723123, there is no way to reverse that back to test, a salted md5, last i looked, is still not hackable.

    if you do md5 with password storing, then to compile the passwords, you should use a md5 on the password the user typed and compare the 2 result strings to see if they match.

    PHP itself require securing, get the the latest version, and follow the security advices on the config file (php.ini), things like remote file include, allow global etc should be turned off if you want maximum security, but the problem is that this can make coding things in PHP alot more difficult.

    for a more detailed read, please check out:

    You want to setup a root password definitly, for each user in your MySQL, you want to give them access to only the database they own, and you should never give them root access. Disabling access to MySQL through localhost is also recommanded by some, although that is optional.

    For details, read:

    Last thing, you cant really not store a password and then check for that password, you can hard code the password into the script, but thats considered even less secure..
    You must also make sure to sanitize everything your PHP does, this is to make sure no rogue strings can get into your scripts. For example. people can encode php or javascript code into forum posts that can then infect the forums, in those cases, a sanity check on the post before they are allowed to be inserted into the database can easily prevent those.

    There are alot of things you need to take care of if you want a totally secure server.. and i dare say that its probably not possible.. it is up to you to determine just how much risk your server is in. How many people really want to spend the massive ammount of time required to hack into your server? Do you have such sensitive information? Are your servers backed up regularly?
    LVL 3

    Expert Comment

    imho the mysql table is the best option here, i can say alot and reflect away from your question but that doesn't make sence so.....

    I'd say:
    "Go for the table"

    u can alway's update it for modifications, expand it for future use and that sort of things, and if you realy want to specify the documents, then put the document names in the db as well and authenticate through your database.

    Sry for my terrible english ........ /shy



    Author Comment

    If I store the passwords in mysql, but have the files in the windows folders, how do I tie to two securities together?
    LVL 3

    Assisted Solution

    only if they can authenticate you can let them see the files in the folder.

    If person a has only right to see certain files then add those files to his "profile" within the database....

    or create groups if you don't want to do it for every user.



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Title # Comments Views Activity
    Insert command generates error in MySQL 3 28
    MySQL 11 46
    Replace Damware (now solarwinds) utilities ?? 3 32
    SQL Update Query 23 64
    Part of the Global Positioning System A geocode ( is the major subset of a GPS coordinate (, the other parts being the altitude and t…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now