database password

Howdy all,

Just wondering what -- if anything -- people are doing to protect
plaintext database passwords in their PHP scripts. Ultimately, PHP needs
a plaintext password to create the database connection, so it seems that
obfuscation is the best we can achieve on this front. While not really
secure by itself, obfuscation along with other measures (firewall,
privilege separation, file system privileges, etc) can help slow someone
down. So I've been looking into this approach at the moment. Any other
ideas out there?

Thanks,
Roberto

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: database password

store your password/access credentials outside the web root and use php to
read the data in. Another alternative is to wrap those items in a function
and check the calling source to make sure its only your application

hth

Bastien


>From: Roberto Mansfield
>To: php-db@lists.php.net
>Subject: [PHP-DB] database password
>Date: Tue, 03 Apr 2007 09:39:32 -0400
>
>Howdy all,
>
>Just wondering what -- if anything -- people are doing to protect
>plaintext database passwords in their PHP scripts. Ultimately, PHP needs
>a plaintext password to create the database connection, so it seems that
>obfuscation is the best we can achieve on this front. While not really
>secure by itself, obfuscation along with other measures (firewall,
>privilege separation, file system privileges, etc) can help slow someone
>down. So I've been looking into this approach at the moment. Any other
>ideas out there?
>
>Thanks,
>Roberto
>
>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>

____________________________________________________________ _____
http://local.live.com/?mkt=en-ca/?v=2&cid=A6D6BDB4586E357F!4 20

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: database password

Bastien Koert wrote:
> store your password/access credentials outside the web root and use php
> to read the data in.

This is good for web attacks, but I'm thinking of an account break in
where someone is accessing files directly on the server.

> Another alternative is to wrap those items in a
> function and check the calling source to make sure its only your
> application

How would you do this?

Thanks,
Roberto



>> From: Roberto Mansfield
>> To: php-db@lists.php.net
>> Subject: [PHP-DB] database password
>> Date: Tue, 03 Apr 2007 09:39:32 -0400
>>
>> Howdy all,
>>
>> Just wondering what -- if anything -- people are doing to protect
>> plaintext database passwords in their PHP scripts. Ultimately, PHP needs
>> a plaintext password to create the database connection, so it seems that
>> obfuscation is the best we can achieve on this front. While not really
>> secure by itself, obfuscation along with other measures (firewall,
>> privilege separation, file system privileges, etc) can help slow someone
>> down. So I've been looking into this approach at the moment. Any other
>> ideas out there?
>>
>> Thanks,
>> Roberto
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
> ____________________________________________________________ _____
> http://local.live.com/?mkt=en-ca/?v=2&cid=A6D6BDB4586E357F!4 20

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: database password

Roberto Mansfield wrote:
> Bastien Koert wrote:
>> store your password/access credentials outside the web root and use php
>> to read the data in.
>
> This is good for web attacks, but I'm thinking of an account break in
> where someone is accessing files directly on the server.

I suggest you think about this for a second before you start designing
with a really pointless obfuscation system. Say someone is accessing
files directly on the server... if they can get at the file that
contains the password then they can also get at the PHP code that will
de-obfuscate it. Spend your time locking the doors rather than putting
5-minute obstacles in the path.

-Stut

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: database password

Stut wrote:
> Roberto Mansfield wrote:
>> Bastien Koert wrote:
>>> store your password/access credentials outside the web root and use php
>>> to read the data in.
>>
>> This is good for web attacks, but I'm thinking of an account break in
>> where someone is accessing files directly on the server.
>
> I suggest you think about this for a second before you start designing
> with a really pointless obfuscation system. Say someone is accessing
> files directly on the server... if they can get at the file that
> contains the password then they can also get at the PHP code that will
> de-obfuscate it. Spend your time locking the doors rather than putting
> 5-minute obstacles in the path.

Yes, I have thought about this. We've spent time locking the doors.
There are many layers in place. As I said, this is not the only type of
security being considered. But if a new exploit comes out and someone
does gain unauthorized access to the file system, I'd rather not hand
them a plaintext password.

So is anyone doing anything to protect plain text passwords in the
filesystem?

Thanks,
Roberto

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: database password

On 04/03/2007 07:35 AM, Roberto Mansfield wrote:
>
> So is anyone doing anything to protect plain text passwords in the
> filesystem?
>
>
>
Yeah, I make sure people I don't want reading the passwords don't get
into the filesystem. :)

-Micah

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php