WebApp Sec mailing list archives

Re: MYSQL and PHP

From: Σπυρίδων Νίνος <sninos () ee duth gr>
Date: Sat, 20 May 2006 14:44:25 +0300

hello everybody,

I don't actually follow this thread, but I believe that
nobody has actually mentioned renaming your include file
in a name that begins with ".ht".

Given that almost any apache conf file has the following
(or similar):

--- cut here ---

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

--- cut here ---

you can name your file i.e .htphpincludes and you won't have to worry
about appearing in someone's browser.

That way you won't have to worry about a new-trainee-failure too.

Also, if you follow the common procedure for protecting the file
from system compromise (file permissions etc) then that should be
enough.

I used it once and it worked as I expected.

spyros

Kirk.Johnson () zootweb com wrote:

John Madden <chiwawa999 () yahoo com> wrote on 05/15/2006 12:07:57 PM:

Is it standard to use INC files to store MYSQL db
connections settings (username and password)?

What else could you do to make this "safer" ?


Summarizing the responses so far, four approaches to this problem have
been offered:

1. Make include files parseable as PHP, through a combination of filename
extension and httpd.conf.
2. Deny requests on include files, through a combination of filename
extension and httpd.conf.
3. Locate include files outside document root.
4. Use the mod_security package.

One potential issue with #1, seldom mentioned, is that include files may
then be executed out of context. You will have to be the judge if that is
a problem for each of your include files.

Any solution through httpd.conf (or other configuration) relies on the
"perfectability of man": the configuration must be re-created when the
server is rebuilt, the new trainee takes over, etc. I have personally seen
this approach fail when the configuration was not carried along during a
version upgrade.

I will cast my vote for #3, when it is possible to do so. Chris Shiflett
[Essential PHP Security] also recommends this as the primary approach.

Kirk






-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------

Current thread:

Re: MYSQL and PHP, (continued)
- - Re: MYSQL and PHP bugtraq (May 16)
    - Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)
- Re: MYSQL and PHP Ed J. Aivazian (May 17)
- Re: MYSQL and PHP wilson . amajohn (May 17)
- RE: MYSQL and PHP Wall, Kevin (May 18)
- Re: MYSQL and PHP Σπυρίδων Νίνος (May 20)
- Re: MYSQL and PHP s89df987 s9f87s987f (May 21)