Securing PHP scripts

In an attempt to secure the PHP/PostgreSQL server Im working on, I've setup=
Postgres so that any connection made to the database requires a valid pass=
word.

Now to connect to the DB via PHP, I have the password hard coded (which is =
in clear text).

Here is my question: Is there a way around storing the password in clear te=
xt?

----------
Regards

Cody Phanekham

Email: cody.phanekham@salmat.com.au
Ext: 2183
Phone: 02 9353 2183




************************************************************ ***************=
**********
This e-mail, including any attachments to it, may contain confidential and/=
or personal information.
If you have received this e-mail in error, you must not copy, distribute, o=
r disclose it, use or take any action=20
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then=
delete the original e-mail.

The information contained within this e-mail may be solely the opinion of t=
he sender and may not necessarily=20
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to Sal=
mat's anti-virus systems.

For more information, visit our website at www.salmat.com.au.
************************************************************ ***************=
**********


---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Re: Securing PHP scripts

Cody.....

> Now to connect to the DB via PHP, I have the password hard coded (which is in clear text).
>
> Here is my question: Is there a way around storing the password in clear text?

But no user can ever read that clear text, right? They should only get
the PHP script output which normally wouldn't contain the user name and
password.....

There can be a danger of other users on the machine being able see the
clear text password if it's a shared machine and if they are able to read
the script, though!

Of course that didn't answer your question...... maybe somebody else knows
a way around storing it in clear text.

BTW, for the best security you should be sure and run PHP with
register_globals off in the php.ini config file, read about it at

http://us4.php.net/register_globals

Sorry if I'm telling you a bunch of stuff you already know anyway.......

brew






---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Re: Securing PHP scripts

I don't know of any..

Luke Woollard
HPAD.com



-----Original Message-----
From: pgsql-php-owner@postgresql.org
[mailto:pgsql-php-owner@postgresql.org]On Behalf Of brew@themode.com
Sent: Tuesday, August 19, 2003 12:55 PM
To: pgsql-php@postgresql.org
Subject: Re: [PHP] Securing PHP scripts



Cody.....

> Now to connect to the DB via PHP, I have the password hard coded (which is
in clear text).
>
> Here is my question: Is there a way around storing the password in clear
text?

But no user can ever read that clear text, right? They should only get
the PHP script output which normally wouldn't contain the user name and
password.....

There can be a danger of other users on the machine being able see the
clear text password if it's a shared machine and if they are able to read
the script, though!

Of course that didn't answer your question...... maybe somebody else knows
a way around storing it in clear text.

BTW, for the best security you should be sure and run PHP with
register_globals off in the php.ini config file, read about it at

http://us4.php.net/register_globals

Sorry if I'm telling you a bunch of stuff you already know anyway.......

brew






---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)


---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

Re: Securing PHP scripts

I should of mentioned that the server is a dedicated PHP / PostgreSQL serve=
r, therefore no other user would have access to it.

My only concern is *if* the server gets compromised, then the attacker woul=
d have access to the DB without too much effort.

> -----Original Message-----
> From: brew@theMode.com [mailto:brew@theMode.com]
> Sent: Tuesday, 19 August 2003 12:55
> To: pgsql-php@postgresql.org
> Subject: Re: [PHP] Securing PHP scripts
>=20
>=20
>=20
> Cody.....
>=20
> > Now to connect to the DB via PHP, I have the password hard=20
> coded (which is in clear text).
> >
> > Here is my question: Is there a way around storing the=20
> password in clear text?
>=20
> But no user can ever read that clear text, right? They=20
> should only get
> the PHP script output which normally wouldn't contain the=20
> user name and
> password.....
>=20
> There can be a danger of other users on the machine being able see the
> clear text password if it's a shared machine and if they are=20
> able to read
> the script, though!
>=20
> Of course that didn't answer your question...... maybe=20
> somebody else knows
> a way around storing it in clear text.
>=20
> BTW, for the best security you should be sure and run PHP with
> register_globals off in the php.ini config file, read about it at
>=20
> http://us4.php.net/register_globals
>=20
> Sorry if I'm telling you a bunch of stuff you already know=20
> anyway.......
>=20
> brew
>=20
>=20
>=20
>=20
>=20
>=20
> ---------------------------(end of=20
> broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to=20
> majordomo@postgresql.org)
>=20


************************************************************ ***************=
**********
This e-mail, including any attachments to it, may contain confidential and/=
or personal information.
If you have received this e-mail in error, you must not copy, distribute, o=
r disclose it, use or take any action=20
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then=
delete the original e-mail.

The information contained within this e-mail may be solely the opinion of t=
he sender and may not necessarily=20
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to Sal=
mat's anti-virus systems.

For more information, visit our website at www.salmat.com.au.
************************************************************ ***************=
**********


---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

Re: Securing PHP scripts

On Monday 18 August 2003 21:08, Cody Phanekham wrote:
> I should of mentioned that the server is a dedicated PHP / PostgreSQL
> server, therefore no other user would have access to it.
>
> My only concern is *if* the server gets compromised, then the attacker
> would have access to the DB without too much effort.
>

If by "comprimised" you mean rooted, then the attacker can do whatever they
like on the system anyways. If someone has root on a box ... they have
access to the DB ... with or without a password to begin with.

Andy

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

Re: Securing PHP scripts

El Mar 19 Ago 2003 00:08, escribi=F3:
> I should of mentioned that the server is a dedicated PHP / PostgreSQL
> server, therefore no other user would have access to it.
>
> My only concern is *if* the server gets compromised, then the attacker
> would have access to the DB without too much effort.

IF the attacker compromises your server access, I think there will be other=
=20
things to be MORE concern about.

--=20
Porqu=E9 usar una base de datos relacional cualquiera,
si pod=E9s usar PostgreSQL?
------------------------------------------------------------ -----
Mart=EDn Marqu=E9s | mmarques@unl.edu.ar
Programador, Administrador, DBA | Centro de Telematica
Universidad Nacional
del Litoral
------------------------------------------------------------ -----


---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend

Re: Securing PHP scripts

On Tue, Aug 19, 2003 at 13:08:46 +1000,
Cody Phanekham wrote:
> I should of mentioned that the server is a dedicated PHP / PostgreSQL server, therefore no other user would have access to it.

If they are on the same machine, then ident authentication might be
appropiate to use.

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

Re: Securing PHP scripts

On Tue, 19 Aug 2003, Cody Phanekham wrote:

> I should of mentioned that the server is a dedicated PHP / PostgreSQL
> server, therefore no other user would have access to it.
>
> My only concern is *if* the server gets compromised, then the attacker
> would have access to the DB without too much effort.

If the server gets compromised, you've lost. If they just get to execute
arbitrary code as the httpd user, you've lost, if they can execute
arbitrary code as root you've doubly lost.

Unless youre system is designed for anonymous database access to be
secure, you can't really protect it from a rogue web server.


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)