MySQL security

software development

#1

I am trying to implement a secure data post on my web site via PHP to a MySQL db, all hosted by Dreamhost. My main concern is managing the MySQL db user name and password required to access the database. I’d like some opinion from you fine users out there.
One method involves storing them in an include file, but to keep that file secure - at least from what I read - requires access to the httpd.conf file. Dreamhost does not grant access to it. Is there a way to utilize an .htaccess file in a subdirectory of the web site to handle this?
Thanks,
Matt


#2

The following is common sense…

  1. Make sure the permissions on the include file deny group and public read/write. Apache will not serve a file unless it can read it, and these goes the same for other users sharing your machine.

  2. Put the file out side the document root. In other words, instead of putting it in /home/username/domain put it in /home/username/config and then hardcode the path into your PHP script, eg include realpath(’/home/username/config/mysql.php’)

:cool: [color=#6600CC]Atropos[/color] | openvein.org


#3

That did the trick. Thanks.
Matt


#4

In addition, I create a separate MySQL user with as few privileges as needed, and never use the admin account. It limits the damage if my account or site gets compromised.


#5

Can anyone speak to how secure this is in general, and what measures need to be taken (besides securing the password)?

For example, the default setting allows any Dreamhost machine to query the MySQL database. Does that mean the DBs are vulnerable to dictionary attacks?

Also, is the MySQL password sent unencrypted from the webserver (running PHP or similar) to the MySQL server? If so, is it possible that a compromised machine on the network could snoop the password?