Solved

How to prevent access to PHP files that store username/password

Posted on 2012-03-26
9
331 Views
Last Modified: 2012-08-31
Our PHP web app saves the database username and password in a file. How do i prevent the access of this file by FTP users. So that if my programmer resigns, I dont always have to keep changing username/password.
0
Comment
Question by:melwong
9 Comments
 
LVL 21

Expert Comment

by:Kim Walker
ID: 37766250
That depends on what kind of file holds this information. If it's stored in a .php file, the server will always deliver the results of the code inside the file, never the contents. However, I always store such files in a folder outside the public shared directory and include them in my php file using the include statement and a direct path to the file as it is on the server.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37766287
I use something like this
require_once('../root/db_link.php');

Open in new window

I have the "root" directory on the server at the same level as public_html.  It can't be browsed, only included.  And I also agree with xmediaman: you have very little risk of exposure if your information is inside a .php file.
0
 

Author Comment

by:melwong
ID: 37766309
My current file is in /home/website/public_html/app/app_info.conf. How do i put this file outside public shared dir? Cos my domain website.com points to the dir website
0
 

Author Comment

by:melwong
ID: 37766321
My risk is exposing passwords to my programmers
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 12

Expert Comment

by:larsrohr
ID: 37766326
In addition, we make such files owned and readable only by the apache web user.  So among local users, only apache and root can directly access the file.
0
 

Author Comment

by:melwong
ID: 37766360
larsrohr, how do we do that? what is the chmod?
0
 
LVL 12

Accepted Solution

by:
larsrohr earned 50 total points
ID: 37766370
chown apache filename
chmod 400 filename
0
 

Author Closing Comment

by:melwong
ID: 37766464
thx
0
 

Expert Comment

by:Web_Sight
ID: 38353740
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
"In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now