Radicore Forum
Fast Uncompromising Discussions. FUDforum will get your users talking.
Home » RADICORE development » Menu and Security » hiding control.inc database connection details
hiding control.inc database connection details [message #588] Sun, 04 February 2007 16:59 Go to next message
stephenboey is currently offline  stephenboey
Messages: 54
Registered: January 2007
Member
Hi Tony,

I am not sure where I should post this.

1. Where do you store your port information for 3306? If I have more than one mysql installation how does your code know which one to connect to?

2. Do you know of a way in order not to hardcode the values of:
$GLOBALS['dbusername'], $GLOBALS['dbuserpass'] ? Its quite a big security risk because one these user names will have access to many databases.
Will appreciate any suggestions.

Report message to a moderator

Re: hiding control.inc database connection details [message #589 is a reply to message #588] Sun, 04 February 2007 18:48 Go to previous messageGo to next message
AJM is currently offline  AJM
Messages: 2370
Registered: April 2006
Location: Surrey, UK
Senior Member
It is not usual to have more than one MySQL server on a single PC, which is why I have never implemented that option. You could try creating a new variable called $GLOBALS['dbport'] and adding that to the argument list in the connect() method. Let me know if it works and I'll add it to the standard code.

The values for $GLOBALS['dbusername'] and $GLOBALS['dbuserpass'] have got to be maintained somewhere, but to keep them secure on a public server you should put your INCLUDES directory (which contains the CONFIG.INC file) outside of your web root.

Tony Marston
http://www.tonymarston.net
http://www.radicore.org

Report message to a moderator

Re: hiding control.inc database connection details [message #590 is a reply to message #589] Mon, 05 February 2007 03:57 Go to previous messageGo to next message
stephenboey is currently offline  stephenboey
Messages: 54
Registered: January 2007
Member
Looked through your connect method. Seems like there is a $dbhost variable for mysql_connect.

So I did a 'host:port' and it works.

I think there was an article you wrote about encryption.
The thing about php is, source codes are revealed and the $key has to be somewhere.

Usually if there is an IT audit, the first question asked is where do you store the $key?

I had to encrypt the key as well with another key stored in one of the variables in VB. VB programs are compiled, so no worries there....

Report message to a moderator

Re: hiding control.inc database connection details [message #591 is a reply to message #590] Mon, 05 February 2007 04:15 Go to previous message
AJM is currently offline  AJM
Messages: 2370
Registered: April 2006
Location: Surrey, UK
Senior Member
If the CONFIG.INC file is stored outside the web root then nobody can access it through the web server. If they have direct access to your PC (and malicious intent) then database passwords are the least of your worries.

PHP is interpretted, not compiled, so no binaries are involved. All the files are plain text and can be viewed and modified with any text editor.

Tony Marston
http://www.tonymarston.net
http://www.radicore.org

Report message to a moderator

Previous Topic: Multi-page Wizards
Next Topic: Adding membership subscription functionality to RBAC
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Tue Nov 26 19:05:28 EST 2024

Total time taken to generate the page: 0.01040 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.1.3.
Copyright ©2001-2023 FUDforum Bulletin Board Software