[FX.php List] Security Question

Andrew Denman adenman at tmea.org
Wed Apr 30 09:18:45 MDT 2008


Since it looks like the list is working again... Let's see if this makes it
to everyone this time.

I keep the server-data.php files outside of the web directory. This is a
very easy way to keep the password files out of view from the public.

I'm not sure about keeping that data in a remote location because then you
have to make sure it is transferred to your server securely for each
transaction (ie: SSL).  It could be useful in a shared hosting situation
where you don't have an 'outside the web directory' area, but those
passwords are still available to the web from the remote location. This just
seems overly complicated for the benefit derived.

I have heard about encrypting the passwords so they aren't in plain text,
though I don't do so. I haven't had the time to fully investigate creating
encryption and decryption routines. Does anyone here encrypt their database
passwords?

Andrew Denman 


-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Steve Winter
Sent: Wednesday, April 30, 2008 2:29 AM
To: 'FX.php Discussion List'
Subject: RE: [FX.php List] Security Question

Hi Jonathan,

First off, as long as the file has a .php extension, or the extension that
it does have is configured by your webserver to be processed as PHP, then
the security related risk is low... if someone does (somehow, since no
spider ever will) discover the site, the PHP processeser will parse the
file, load a bunch of variables, and that will be the end of it since
there's nothing in the (typical) file to output anything to the browser...

That said, it's technically possible to create a request for the file from a
web server, which I guess is undesireable...

The solution is to move the file from it's current location, in a web
accessible folder, and place it in the default 'includes' folder, which is
not web accessible, only include-accessible...

I seem to recall talking with you about this folder in the past, I think it
relateds to having 'global' include files for multiple separate virtual
'hosts' on your server...

If you do a phpinfo() you'll be able to locate the default include folder
(or if you've got error reporting turned on, simply include 'foo.php' in a
test page and read the error...

By default, if no path to an include file is specified, PHP will look for a
file with that name in the same folder as the file doing the include... if
it doesn't find it there, it'll look in the default PHP include folder...

If you do go down this router, you may need to have a different file for
each virtual site that you host, since you'll likely need to have different
values in those for the different databases in question...

Hope this makes sense, if not, let me know...

Cheers
(Very busy) Steve (which is why no posts lately ;-)

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Kevin Futter
Sent: Wednesday, 30 April 2008 4:15 a.m.
To: FX.php Discussion List
Subject: Re: [FX.php List] Security Question

On 25/04/08 8:21 AM, "Jonathan Schwartz" <jschwartz at exit445.com> wrote:

> Hi Folks,
> 
> I'm interested to know if folks store username, passwords and other
> sensitive data in the FX/server-data.php file. Or, do you relocate
> these "keys to the kingdom" to a remote location?  I have seen advise
> to keep the info out of the web server folder altogether.
> 
> Any advise?
> 
> J

I store them there, and haven't had any problems (that I know about), but
keeping them as far away from the end user as possible is always a good
idea. However, I'm not sure how you'd go about this and still have them
available to PHP, keeping in mind I'm no expert in PHP include paths.

In my case though, the credentials in server_data.php just grant access to
FM files; the nature and extent of that access is controlled by the files
themselves. For user authentication, we use Active Directory and LDAP
anyway, so that's not a FileMaker issue for us.

-- 
Kevin Futter
Webmaster, St. Bernard's College
http://www.sbc.melb.catholic.edu.au/


############################################################################
#########
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal
############################################################################
#########

This e-mail and any attachments may be confidential. You must not disclose
or use the information in this e-mail if you are not the intended recipient.
If you have received this e-mail in error, please notify us immediately and
delete the e-mail and all copies. The College does not guarantee that this
e-mail is virus or error free.  The attached files are provided and may only
be used on the basis that the user assumes all responsibility for any loss,
damage or consequence resulting directly or indirectly from the use of the
attached files, whether caused by the negligence of the sender or not. The
content and opinions in this e-mail are not necessarily those of the
College.
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list

No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.23.6/1402 - Release Date: 28/04/2008
1:29 p.m.
 

No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.23.6/1402 - Release Date: 28/04/2008
1:29 p.m.
 


_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list