how to not write password in code for using to mysql?
This is a discussion on how to not write password in code for using to mysql? within the MySQL Database forums, part of the Database Forums category; On May 27, 5:56 pm, "_mario.lat" <n...@libero.it> wrote: > >> I ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-28-2007
|
|||
|
|||
Re: how to not write password in code for using to mysql?
On May 27, 5:56 pm, "_mario.lat" <n...@libero.it> wrote:
> >> I use PHP and I'd like to not write in hardcoded way password > >> and login to access to mysql. > >> how to not write password in code for access to mysql? > >> How can I do? > >> I'd like that who see my code don't see my paswords. > >> there is a solution? > > > Now you can create the following file > > Thank you for answering me. > I'm shure there is a better way with cript: > DES or SHA, RSA... > Mario. Hello Mario!, i think that maybe you can "confuse" a little the malicious user doing the following things: 1st: as i readed before, encrypt your password at (for example) base64: $user = "mario"; $password = "Y0dGemMzZHZjbVE9"; (the word "password" encrypted at base64 TWICE, and looks like a plain text passwd) then, when you want to decrypt it and use it for loggin at some place of your scripts: echo base64_decode(base64_decode($password)); or, to confuse the attaker more, you can do the same $pass_decrypted= base64_decode(base64_decode($password)); <--- but also encrypted in hex like this..: echo "base64_d& #x65;code(ba&#x 73;e64_deco ;de($pass& #x77;ord));"; as doing with echo, when executed, the browser prints the result in plain text, showing base64_decode(base64_decode($password)), but the question it's to save the plain text result, in a variable containing your password decrypted... I hope this will help you...i just improved this, 'cause i didn't have time to explore more this(i have to go to work now :( ) Success!!! See u! =) 
|
|
05-28-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
On May 28, 3:20 pm, Keniobats <freerevolutiont...@gmail.com> wrote:
> On May 27, 5:56 pm, "_mario.lat" <n...@libero.it> wrote: > > > >> I use PHP and I'd like to not write in hardcoded way password > > >> and login to access to mysql. > > >> how to not write password in code for access to mysql? > > >> How can I do? > > >> I'd like that who see my code don't see my paswords. > > >> there is a solution? > > > > Now you can create the following file > > > Thank you for answering me. > > I'm shure there is a better way with cript: > > DES or SHA, RSA... > > Mario. > > Hello Mario!, i think that maybe you can "confuse" a little the > malicious user doing the following things: > > 1st: as i readed before, encrypt your password at (for example) > base64: > $user = "mario"; > $password = "Y0dGemMzZHZjbVE9"; (the word "password" encrypted at > base64 TWICE, and looks like a plain text passwd) > > then, when you want to decrypt it and use it for loggin at some place > of your scripts: > echo base64_decode(base64_decode($password)); > or, to confuse the attaker more, you can do the same > $pass_decrypted= base64_decode(base64_decode($password)); <--- but > also encrypted in hex like this..: > > echo > "base64_d& #x65;code(ba&#x 73;e64_deco ;de($pass& #x77;ord));"; > as doing with echo, when executed, the browser prints the result in > plain text, showing base64_decode(base64_decode($password)), but the > question it's to save the plain text result, in a variable containing > your password decrypted... > I hope this will help you...i just improved this, 'cause i didn't > have time to explore more this(i have to go to work now :( ) > Success!!! See u! =) sorry, i forgot to put the link i used to convert characters: http://people.w3.org/rishida/scripts...conversion.php good luck
|
|
05-28-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
Keniobats wrote:
> 1st: as i readed before, encrypt your password at (for example) > base64: > $user = "mario"; > $password = "Y0dGemMzZHZjbVE9"; (the word "password" encrypted at If the user can reed that, then they can read this > echo base64_decode(base64_decode($password)); And know how to decode the password. -- //Aho
|
|
05-29-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
> If the user can reed that, then they can read this
To me it somehow seems that the original poster is worried about someone taking a short look on the code, and being able to read the password. I understood that there is no need to be able to permanently obfuscate the password for those who have full access to the code. If however that is the requirement, you are out of luck. I've never used Zend's platform products, but they might have some kind of solution to that. Well, I was just thinking about similar behavior to Weblogic, where the db passwords are stored and connections created via manager-software. Something like this could of course be implemented quite straightforwardly as php-extension, but whether that would be worth the effort is another issue. So the user doesn't write: <code> mysql_connect("server", "username", "pass"); </code> But rather: <code> $MyPlatform::getMysqlConnection("TheConnectionForM ySyStem"); </code> Or whatever. -- Jussi Deep abstraction kills strong typing. http://disczero.com http://view.fi http://naamio.net http://hoffburger.com
|
|
06-03-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
On May 27, 11:15 am, "_mario.lat" <n...@libero.it> wrote:
> hallo, > I use PHP and I'd like to not write in hardcoded way password > and login to access to mysql. > how to not write password in code for access to mysql? > How can I do? > I'd like that who see my code don't see my paswords. > there is a solution? > Thank you in advance. > Mario. What is this groups overall view on setting up .htaccess with something like: php_value auto_prepend_file /path/to/password/file.php Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it yet, though if it never "screws up" I'm inclined to think it is more secure since the path is hidden even when they can see your scripts.
|
|
06-03-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
sundby wrote:
> On May 27, 11:15 am, "_mario.lat" <n...@libero.it> wrote: >> hallo, >> I use PHP and I'd like to not write in hardcoded way password >> and login to access to mysql. >> how to not write password in code for access to mysql? >> How can I do? >> I'd like that who see my code don't see my paswords. >> there is a solution? >> Thank you in advance. >> Mario. > > > What is this groups overall view on setting up .htaccess with > something like: > php_value auto_prepend_file /path/to/password/file.php > > Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it > yet, though if it never "screws up" I'm inclined to think it is more > secure since the path is hidden even when they can see your scripts. I don't think that will do any change in the security of the password and login to the sql server, in most cases if a user is able to read the php code, then they are on the local machine and would as likely be able to read the ..htaccess file and see where the password and login has been stored. You really get more protection just by setting the right privileges on the file where the password and login has been stored, just set the file to belong to the user and the group that the web server is run as (usually username:apache) and then see to that the file is readable by the web server (set g+r) and that everyone else don't have any privileges at all (set o-rwx) and now there is just three users who can read the password/login and it's the user itself, the web server and root (without SELinux like rules, nothing can stop root). Keeping the file outside the "web root" will make that the file won't be directly accessible by web visitors, this way disabling .htaccess feature in apache or misconfiguration of the php module won't make the login/password readable (of course if the user uses something as IIS, then it's possible to access files outside the "web root", but no sane person would use IIS). -- //Aho
|
|
06-03-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
sundby wrote:
> On May 27, 11:15 am, "_mario.lat" <n...@libero.it> wrote: >> hallo, >> I use PHP and I'd like to not write in hardcoded way password >> and login to access to mysql. >> how to not write password in code for access to mysql? >> How can I do? >> I'd like that who see my code don't see my paswords. >> there is a solution? >> Thank you in advance. >> Mario. > > > What is this groups overall view on setting up .htaccess with > something like: > php_value auto_prepend_file /path/to/password/file.php > > Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it > yet, though if it never "screws up" I'm inclined to think it is more > secure since the path is hidden even when they can see your scripts. > First of all, what good is it going to do you you? If someone can see your source code, they can see your .htaccess. Second, why auto-include the file where it's not needed (i.e. pages where you don't require database access)? -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================
|
|
06-04-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
> What is this groups overall view on setting up .htaccess with
> something like: > php_value auto_prepend_file /path/to/password/file.php > > Is this a "Good Thing" or a "Bad Thing"? I have not deared to use it > yet, though if it never "screws up" I'm inclined to think it is more > secure since the path is hidden even when they can see your scripts. Why do so in an .htaccess file? Do so in the main apache config. Besides, I do not think there is much security left if people can see the source code. The best way to "protect" the passwords is to make them useless: block any access from non-known machines (by IP address, for instance). Best regards, -- Willem Bogaerts Application smith Kratz B.V. http://www.kratz.nl/
|
|
06-09-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
On Sun, 27 May 2007 17:15:42 +0800, mario.lat wrote
(in article <pan.2007.05.27.09.15.41.352361@libero.it>): > hallo, > I use PHP and I'd like to not write in hardcoded way password > and login to access to mysql. > how to not write password in code for access to mysql? > How can I do? > I'd like that who see my code don't see my paswords. > there is a solution? > Thank you in advance. > Mario. well mario , if you understood php , you would understand the answer to your question. and don't cross post numb nuts
|
|
06-09-2007
|
|||
|
|||
|
Re: how to not write password in code for using to mysql?
steve wrote:
> On Sun, 27 May 2007 17:15:42 +0800, mario.lat wrote > (in article <pan.2007.05.27.09.15.41.352361@libero.it>): > >> hallo, >> I use PHP and I'd like to not write in hardcoded way password >> and login to access to mysql. >> how to not write password in code for access to mysql? >> How can I do? >> I'd like that who see my code don't see my paswords. >> there is a solution? >> Thank you in advance. >> Mario. > > > well mario , if you understood php , you would understand the answer to your > question. > > and don't cross post numb nuts > > I think your response was completely uncalled for. If you *really* understood PHP and web servers, you would understand things *can go wrong* - and mario's concern is well founded. And you'd also understand that cross-posting is much preferred to multi-posting, numb nuts. -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================
|
Linear Mode
