Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Web Development - Securing Database Password

Posted on 2011-10-12
12
Medium Priority
?
279 Views
Last Modified: 2012-05-12
This "question" is a bit different in that I'm not trying to solve a specific problem where I don't already have a solution.  Instead, I'm looking for informed opinions.

The issue is for a CGI to access a database, it needs login information (user name and password) for that database.  Of course, we don't want to expose the login information to the public.

I read about one solution meant for Apache running on a *nix system (such as Linux).  This solution is to store the login information in a file that is

Not in the server's directory tree.
Has a .php extension so the php processor will process the file before it's served.
Is owned by the web server.
File permissions are 400 (-r--------)
Is in a directory owned by the web server.
File permissions for the directory are 500 (-r-x------).

Of course, if the server's root account is ever compromised, none of this matters.  (However, I'm looking at this problem from the perspective of the developer and not the person who is responsible for protecting the server from O/S level attacks.)

I'm also assuming that the login and password are otherwise difficult to guess.  A discussion on that might be warranted but it outside the scope of this post.  (Assume the login and password were assigned in a competent fashion.)

Opinions?  Comments?  Ideas?
0
Comment
Question by:Hugh McCurdy
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 13

Expert Comment

by:Andrew Derse
ID: 36955496
What kind of database are you using?  Is it internally hosted or hosted by an external company.  Also, I see you tagged PHP...why not just use an SSL certificate, on site, then establish the connection...all is secure...

0
 
LVL 13

Author Comment

by:Hugh McCurdy
ID: 36955661
In this case, MySQL.   The server is at a server farm in another state.  They also setup the OS.  I have ssh2 access to the computer (and have the root password).

SSL is necessary to protect passwords, etc, in transit.  I don't see how SSL will protect against lame programming though.  If I were to keep the password in an XML file in the same directory at index.php, someone guessing at the correct file name would see the password even if using SSL.  Right?
0
 
LVL 13

Assisted Solution

by:Andrew Derse
Andrew Derse earned 400 total points
ID: 36955732
If you develop your site correctly, no one will see anything they aren't supposed to...I use a platform called Joomla for most of my sites...quick and easy content management system that allows for tons of customization on it...my users (over 165 users) are limited as to what they can see...and they never see an actual 'file' on the server...just the HTML they pages render.

Are you thinking that other people within your company might be sneaking around and trying to find this information or someone on the web?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 800 total points
ID: 36955738
My web sites are hosted mostly on shared servers.  Each account has a root directory and the web site itself is in a sub-directory of the root directory.  I use something like this in all of my common files:

require_once('../secrets/hookup.php');

In that, I store my DEFINE statements for API keys, my passwords, etc.
0
 
LVL 13

Author Comment

by:Hugh McCurdy
ID: 36955819
@NUKIT -- the discussion I'm trying to have is about how to develop the site correctly.  I'm looking for theory more than anything.  (Pretend you are in a college discussion.)

@Ray -- That helps.  It's along the lines of what I read.  I didn't know about require_once().  Now I do.  (Just read the manual page on it.)  
0
 
LVL 13

Expert Comment

by:Andrew Derse
ID: 36955867
Gotcha ;)  Thought you were beyond that stage and asking more technical not theoretical...
0
 
LVL 13

Author Comment

by:Hugh McCurdy
ID: 36956025
@NUKIT - I like to revisit theory from time to time especially when it's important theory.  My hope is that experts could learn from the discussion (different ideas, etc).  Then we are all better.
0
 
LVL 9

Expert Comment

by:crazedsanity
ID: 36962380
The PHP systems I've designed, such as CS-WebAppLibs (https://cs-webapplibs.svn.sourceforge.net/svnroot/cs-webapplibs/), all code is purposely stored in directories beneath the public folder: template files, includes, and configuration files.  Part of this system stores an XML file that gets read-in and exposed to the code as constants and/or global variables.

Since the important stuff is *beneath* the public folder, it's already pretty secure; code would have to be specially-written to expose it.... so at this point security is mostly about someone being able to login to the server to view these files or someone with physical access.  At this point, security + permissions are more reliant on the OS.
0
 
LVL 13

Author Comment

by:Hugh McCurdy
ID: 36962779
crazedsanity, I'm not sure what you mean by "beneath."  I think you mean it's in a sub folder.  But those could be searched if I can determine the path.  Right?  Or do you mean something else?
0
 
LVL 9

Accepted Solution

by:
crazedsanity earned 800 total points
ID: 36962933
I'll try to explain a bit better.  On a webserver there must be a "public" or "document root" directory; on my server [http://www.crazedsanity.com], that folder is "public_html".  When I create a file in that folder, such as "hmccurdy.html", I can access it by going to [http://www.crazedsanity.com/hmccurdy.html].  This folder, "public_html", is in ~/www/public_html/ (so the HTML file is in ~/www/public_html/hmccurdy.html).

On my website I only have a few scripts that do a majority of the work.  For instance, the main page ("/" or "/content" or "/content/index.html") runs through a script that is literally named "content": it runs as PHP by some custom rules in Apache.  The scripts that it includes are in ~/www/includes/; the templates are in ~/www/templates/; and the config file is in ~/www/rw/.  These folders are beneath the public_html folder (well, technically they're at the same level), thereby protecting them from accidental exposure; if they were in the public_html folder, then someone might be able to find them... such as by going to http://www.crazedsanity.com/rw/siteConfig.xml].

Does that clear it up?
0
 
LVL 13

Author Comment

by:Hugh McCurdy
ID: 36963028
Yes.  I wouldn't have used the word "beneath" but what you did makes sense.

Pretty much this give me confirmation that my plan is pretty good.
0
 
LVL 13

Author Closing Comment

by:Hugh McCurdy
ID: 36963057
Thanks for the advice.  Hope the point allocation is fair.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
Suggested Courses
Course of the Month20 days, 18 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question