WebApp Sec mailing list archives

Re: MYSQL and PHP

From: Reid Nichol <rnichol_rrc () yahoo com>
Date: Tue, 16 May 2006 23:20:14 -0700 (PDT)

But an attacker from the outside will be attacking through the script
(or so I'll assume here).  So, the attacker will still have effective
access to this information, or at least be able to use it, which is
really the point.  So, my question is (though this may be a stupid
one), what security benefits would you get from encrypted user/pass
aside from security through obscurity at the "wrong" point of entry? 
After all, if the script can get at it automagically...

I really see this as the same solution as putting the user/pass in a
non-encrypted way outside of document root.  Out of reach of "common
knowledge," but still trivial to use to attack the system.

Sure, as has been mentioned before, encrypting *may* slow down the
attacker (from the inside).  But, if the key is stored either in the DB
or on another server or... how much more overhead is that going to
incurr?  Is that even practical with a busy server?  etc.

Also, will this even help?  Will "that" particular implimentation
actually improve the situation? or make it worse?  After all, the more
complicated the system, the more likely there are bugs, etc sitting
around.


IMO, put the user/pass in a file (.php) outside of document root.  But,
have several users with a variety of DB permissions, so that any given
query has _only_ the permissions it absolutely needs.

After that, if the web server is properly configured, it's up to the
webapp to sanitize the input and make sure the user is actually the
user, etc.  Unless I'm missing something entirely... maybe... it's
late.



best regards,
Reid


--- bugtraq () cgisecurity net wrote:

Windows provides a way in ASP.NET to store the user/pass encrypted in
the registry and simply referencing it in your web.config
allows it to automagically work. I'm curious what solutions for php
exist to allow encrypted storage of sql login credentials
so we can avoid the whole storage in cleartext on the filesystem?

- zeno
http://www.cgisecurity.com/ Web Security news, and More
http://www.cgisecurity.com/index.rss [RSS Feed]





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------

Current thread:

MYSQL and PHP John Madden (May 15)
- Re: MYSQL and PHP Mark Sanders (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Todd Hendricks (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
  - Re: MYSQL and PHP Robin Wood (May 16)
    - Re: MYSQL and PHP Gerald Quakenbush (May 16)
  - Re: MYSQL and PHP bugtraq (May 16)
    - Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)
- Re: MYSQL and PHP Ed J. Aivazian (May 17)
- <Possible follow-ups>
- Re: MYSQL and PHP wilson . amajohn (May 17)
- RE: MYSQL and PHP Wall, Kevin (May 18)
- Re: MYSQL and PHP Σπυρίδων Νίνος (May 20)
- Re: MYSQL and PHP s89df987 s9f87s987f (May 21)