Where to securely store db_connect

software development

#1

I have added some simple php/mysql functionality to my website, and I am wondering what the best way is to store my db_connect.inc (or .php?) file is. I have tried a number of options, and have been unable to make my web-accessioble pages see the script unless it is in my web directory too. Can someone help? Thanks!


#2

put it outside the public html directory…

something like /home/username/ where your public html is /home/username/domain.com/

always name it file.php, don’t use other extensions… if you want it to be seen as a config file use file.inc.php but always let php parse it for added security (i.e. can’t browse to it and view the contents if it’s in a public dir)

www.rawkstar.net


#3

Thanks for the reply. Yeah, I have tried this, but I’m just not sure how dreamhost is set up…when I ftp in to my site, the lowest directory I can access is called “/”, in which resides my domain directory (domain.com) and a bunch of other dirs (mail, misc, streaming, etc). What is this main directory called an dhow do i reference it in my pages? My problem is that I can’t seem to reference it correctly. I have a hunch that dreamhost is set up differently from most other webhosts, becasue all the advice I have gotten so far seems not to be applicable to my site. Say I put my “db_connect.php” file in a directory (“includes”) residing in this “main” directory (one level back from domain.com), and I have index.php in domain.com including the file. What path do I use? I have tried “/includes/db_connect.php”, “/home/includes/db_connect.php”, “/home/user/includes/db_connect.php” and none seem to work. I get this php error:

Warning: open_basedir restriction in effect. File is in wrong directory in /home/.eggo/dhaworth/danielhaworth.net/music/baddudes/index.phpon line 3

Fatal error: Failed opening required ‘/home/dhaworth/includes/db_connect.inc’ (include_path=’.:/usr/local/lib/php’) in/home/.eggo/dhaworth/danielhaworth.net/music/baddudes/index.php on line 3.

Any more help would be much appreciated. Thanks!
-daniel


#4

the error message has the directory you want…

‘/home/dhaworth/includes/db_connect.inc’

that should work… if it doesn’t try putting the .eggo/ in, annoyingly dh sometimes needs this in php paths and it can change…

www.rawkstar.net


#5

Thanks man, the .eggo did it. Rawk on! Oh yeah, review this:

http://www.danielhaworth.net/music/baddudes/recordings.html


#6

just remember that .eggo can change so keep an eye on it.

Review? Ok, i’ll get on of the team to do it! :smiley:

www.rawkstar.net


#7

Hey Dan - long time no see! BTW, other users on your machine could still potentially read the file; the only good way around this is really to use PHP-cgi and have the file owned by you with 0600 or 0640 permissions.

One other trick you could try that might work would be to create a file with the db connect information (with) 0640 or 0600 permissions from a PHP script (so that the file is owned by the dhapache user). I think another user might still be able to write a PHP script to read this file, but it would be a little trickier, and our current PHP security restrictions might prevent this (Jeff or Nate - either of you know?).


#8

does the base dir restrictions not disallow people from reading others files?

www.rawkstar.net


#9

Hey Will! Cool, thanks for the warning. By “other users on my machine”, do you mean the server my site is on (rock)?


#10

That’s my understanding, but I didn’t want to spread misinformation.


#11

Yup. Generally not a big problem, but it could potentially happened if someone cared. I wouldn’t stay up at night worrying about it unless you’re storing really sensitive information in the database, though.


#12

This should be the case, but when it comes to server security you can never be too paranoid!

  • Dallas
  • DreamHost Honcho