WebApp Sec mailing list archives
Re: MYSQL and PHP
From: Σπυρίδων Νίνος <sninos () ee duth gr>
Date: Sat, 20 May 2006 14:44:25 +0300
hello everybody, I don't actually follow this thread, but I believe that nobody has actually mentioned renaming your include file in a name that begins with ".ht". Given that almost any apache conf file has the following (or similar): --- cut here --- <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> --- cut here --- you can name your file i.e .htphpincludes and you won't have to worry about appearing in someone's browser. That way you won't have to worry about a new-trainee-failure too. Also, if you follow the common procedure for protecting the file from system compromise (file permissions etc) then that should be enough. I used it once and it worked as I expected. spyros Kirk.Johnson () zootweb com wrote:
John Madden <chiwawa999 () yahoo com> wrote on 05/15/2006 12:07:57 PM:Is it standard to use INC files to store MYSQL db connections settings (username and password)? What else could you do to make this "safer" ?Summarizing the responses so far, four approaches to this problem have been offered: 1. Make include files parseable as PHP, through a combination of filename extension and httpd.conf. 2. Deny requests on include files, through a combination of filename extension and httpd.conf. 3. Locate include files outside document root. 4. Use the mod_security package. One potential issue with #1, seldom mentioned, is that include files may then be executed out of context. You will have to be the judge if that is a problem for each of your include files. Any solution through httpd.conf (or other configuration) relies on the "perfectability of man": the configuration must be re-created when the server is rebuilt, the new trainee takes over, etc. I have personally seen this approach fail when the configuration was not carried along during a version upgrade. I will cast my vote for #3, when it is possible to do so. Chris Shiflett [Essential PHP Security] also recommends this as the primary approach. Kirk
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Re: MYSQL and PHP, (continued)
- Re: MYSQL and PHP bugtraq (May 16)
- Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP bugtraq (May 16)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)
- Re: MYSQL and PHP Ed J. Aivazian (May 17)
- Re: MYSQL and PHP wilson . amajohn (May 17)
- RE: MYSQL and PHP Wall, Kevin (May 18)
- Re: MYSQL and PHP Σπυρίδων Νίνος (May 20)
- Re: MYSQL and PHP s89df987 s9f87s987f (May 21)