How to protect my logon database from PHP code source ?

maco

Hi all,

I have a PHP page and noticed whenever I view using source code from my browser it excludes all my PHP tagging . . .

1) Is it safe enough to say that my logon database is secured ?

2) Is there any more that I can do to make it more secure ?

Thanks . . .

PhantomBeaker

Um, I think at this point we need to clarify one or two things.

PHP is a server-side language. This means that the php script is processed on the server, and then the output is sent to the browser. So the browser doesn't see the source code... just the end product. As you have discovered.

However, when it comes to security it pays to be uber paranoid. A good while ago there was the "dot" exploit, where you put a dot at the end of the address for the php script so you could see the source code. While the PHP project strives for security there are occasionally bugs. So, I can't say for sure that your logon database is secured.

The other thing is, you have to ask who else has access to your server? I.e. is this a system that where lots of other users have access? If so, can they read your script? If they can't read it under normal permissions, is php running as a cgi module or as an apache module (I've noticed a few security holes for scripts when it runs as an apache module)?

Now, is the dbms on the same server as the webserver? If it is, and there are other users, make sure that you have a password for it set and that it requires passwords to be given to login as your user (some databases like postgresql can be set to not to require passwords - in fact this is default behaviour). If it's on the same server people might try checking standard database server ports to try and connect, so lock it down to accept only local connections (for UNIX systems get it to accept only unix socket connections - local users can connect, such as your script, but the outside can't hit on it). If you have the database on a different server to the web server, set up the database server to only accept connections from your web server, or wherever else legitimate users can connect from. If possible set it up so that your user is only let logon to the database from certain IPs.

I'm sure others can think of ways to make sure your database is more secure. As rsynott says to someone else in another post - LEARN ABOUT SQL INJECTION! Learn to love the addslashes() function (I think that's the name) and MAGIC_QUOTES.

Then your server should be somewhat more secure.

Aoife

maco

Thanks Aoife, I am running under Apache, dbms on the same server as the webserver, I defined my user and password and file in that the same PHP script, just worried if they have they can read my script it will show all user, password and file as well that I used.

Thaks for that very informative reply, I try to read more on that addslashes() function and see if will that helps me.

Thanks . . .

PhantomBeaker

Well, basically if the machine has any other users on it, just make sure the permissions are set such that they can't read your script, but that apache can.