WebApp Sec mailing list archives
Re: MYSQL and PHP
From: Reid Nichol <rnichol_rrc () yahoo com>
Date: Tue, 16 May 2006 23:20:14 -0700 (PDT)
But an attacker from the outside will be attacking through the script (or so I'll assume here). So, the attacker will still have effective access to this information, or at least be able to use it, which is really the point. So, my question is (though this may be a stupid one), what security benefits would you get from encrypted user/pass aside from security through obscurity at the "wrong" point of entry? After all, if the script can get at it automagically... I really see this as the same solution as putting the user/pass in a non-encrypted way outside of document root. Out of reach of "common knowledge," but still trivial to use to attack the system. Sure, as has been mentioned before, encrypting *may* slow down the attacker (from the inside). But, if the key is stored either in the DB or on another server or... how much more overhead is that going to incurr? Is that even practical with a busy server? etc. Also, will this even help? Will "that" particular implimentation actually improve the situation? or make it worse? After all, the more complicated the system, the more likely there are bugs, etc sitting around. IMO, put the user/pass in a file (.php) outside of document root. But, have several users with a variety of DB permissions, so that any given query has _only_ the permissions it absolutely needs. After that, if the web server is properly configured, it's up to the webapp to sanitize the input and make sure the user is actually the user, etc. Unless I'm missing something entirely... maybe... it's late. best regards, Reid --- bugtraq () cgisecurity net wrote:
Windows provides a way in ASP.NET to store the user/pass encrypted in the registry and simply referencing it in your web.config allows it to automagically work. I'm curious what solutions for php exist to allow encrypted storage of sql login credentials so we can avoid the whole storage in cleartext on the filesystem? - zeno http://www.cgisecurity.com/ Web Security news, and More http://www.cgisecurity.com/index.rss [RSS Feed]
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- MYSQL and PHP John Madden (May 15)
- Re: MYSQL and PHP Mark Sanders (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Todd Hendricks (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP bugtraq (May 16)
- Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)
- Re: MYSQL and PHP Ed J. Aivazian (May 17)
- <Possible follow-ups>
- Re: MYSQL and PHP wilson . amajohn (May 17)
- RE: MYSQL and PHP Wall, Kevin (May 18)
- Re: MYSQL and PHP Σπυρίδων Νίνος (May 20)
- Re: MYSQL and PHP s89df987 s9f87s987f (May 21)