Re: MYSQL and PHP

[Kirk.Johnson () zootweb com]

John Madden <chiwawa999 () yahoo com> wrote on 05/15/2006 12:07:57 PM:

> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)? 
>
> What else could you do to make this "safer" ?

Summarizing the responses so far, four approaches to this problem have 
been offered:

1. Make include files parseable as PHP, through a combination of filename 
extension and httpd.conf.
2. Deny requests on include files, through a combination of filename 
extension and httpd.conf.
3. Locate include files outside document root.
4. Use the mod_security package.

One potential issue with #1, seldom mentioned, is that include files may 
then be executed out of context. You will have to be the judge if that is 
a problem for each of your include files.

Any solution through httpd.conf (or other configuration) relies on the 
"perfectability of man": the configuration must be re-created when the 
server is rebuilt, the new trainee takes over, etc. I have personally seen 
this approach fail when the configuration was not carried along during a 
version upgrade.

I will cast my vote for #3, when it is possible to do so. Chris Shiflett 
[Essential PHP Security] also recommends this as the primary approach.

Kirk


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------