Re: PHP/MySQL oldies

From: Chris Morris <c.i.morris@xxxxxxxxxxxx>
Date: 01 Feb 2006 14:17:20 +0000

GT <spam@xxxxxxxxxxxxx> writes:
> 1) Security
> 
> Would someone be kind enough to explain to me how a MySQL password is
> secure when you leave it lying around in a PHP file on your web server?
> e.g.
> mysql_pconnect("localhost","gt","pass");
> I'd be putting it on a UNIX server, and as I understand it, Apache
> needs read permissions - how is this safe? Surely another user of the
> server can see my password?

Three options:
 - if everything on the server is run via suexec (or an equivalent for
   non-CGI) then it's safe provided the file has filesystem
   permissions set to user-readable only.
 - if every bit of dynamic scripting on the server is via PHP, and PHP
   safe mode is always enabled, then [1] provided the filesystem
   permissions are set to only allow user+webserver to read, it's
   fine.
 - Give each user their own webserver process su'd to them.

The second scenario sounds most likely. If PHP isn't in safe mode, and
isn't suexeced, then there's nothing you can do to protect your
password from another user doing
readfile("/users/you/public_html/db.php"); in their own scripts.

[1] Assuming no safe mode bugs, which do come up occasionally.

> 2) Cookies
> 
> I need to do a kind of simple shopping basket thing.. is using cookies
> the right way to go about this or will people turn them off for fear
> of being tracked?

Cookies I think are okay if you let people know why you might need
them first. If a site asks to set a cookie when I hit the first page
of it, then it goes straight in my reject list. If it asks to set a
cookie only when I start doing something it might reasonably need one
for (such as the first time I add to a basket) then I let it through.
Can't speak for anyone else, of course, and in my own applications I
tend to use GET [2] or POST to transfer state instead.

[2] Don't use GET if the information is confidential, because there's
an issue with offsite links and referer headers that allows for
session hijacking.

-- 
Chris
.

Follow-Ups:
- Re: PHP/MySQL oldies
  - From: GT
- Re: PHP/MySQL oldies
  - From: Alan J. Flavell
- Re: PHP/MySQL oldies
  - From: Mark Goodge

References:
- PHP/MySQL oldies
  - From: GT

Prev by Date: PHP/MySQL oldies
Next by Date: Re: Showing my ignorance of CSS
Previous by thread: PHP/MySQL oldies
Next by thread: Re: PHP/MySQL oldies
Index(es):
- Date
- Thread

Relevant Pages

Re: Cross-domain cookie updating ?
... It's not strictly a PHP question, but something that PHP guys would know the answer to. ... Let's say we have a HTML page from domain example.com, and that HTML page makes a request to example.com to return a JavaScript file. ... If the file being returned has updated cookie information in the response header, then I imagine the cookies for example.com get updated. ... What if the JS file it's requesting is actually to a different unrelated domain server that's going to return a JavaScript file with updated cookies in the response header. ...
(comp.lang.php)
Re: Cross-domain cookie updating ?
... It's not strictly a PHP question, but something that PHP guys would know the answer to. ... If the file being returned has updated cookie information in the response header, then I imagine the cookies for example.com get updated. ... I've never been involved in server-side scripting, ... What if the JS file it's requesting is actually to a different unrelated domain server that's going to return a JavaScript file with updated cookies in the response header. ...
(comp.lang.php)
Re: Cross-domain cookie updating ?
... It's not strictly a PHP question, but something that PHP guys would know the answer to. ... If the file being returned has updated cookie information in the response header, then I imagine the cookies for example.com get updated. ... What if the JS file it's requesting is actually to a different unrelated domain server that's going to return a JavaScript file with updated cookies in the response header. ...
(comp.lang.php)
Re: Cross-domain cookie updating ?
... It's not strictly a PHP question, but something that PHP guys would know the answer to. ... If the file being returned has updated cookie information in the response header, then I imagine the cookies for example.com get updated. ... What if the JS file it's requesting is actually to a different unrelated domain server that's going to return a JavaScript file with updated cookies in the response header. ...
(comp.lang.php)
Re: file upload and file permissions
... Make a php page and call the function ... whether you're in safe mode. ... to the fact that it's a shared server. ... This means that a chmod to 777 will ...
(alt.php)