Where to securely store db_connect

I have added some simple php/mysql functionality to my website, and I am wondering what the best way is to store my db_connect.inc (or .php?) file is. I have tried a number of options, and have been unable to make my web-accessioble pages see the script unless it is in my web directory too. Can someone help? Thanks!

put it outside the public html directory…

something like /home/username/ where your public html is /home/username/domain.com/

always name it file.php, don’t use other extensions… if you want it to be seen as a config file use file.inc.php but always let php parse it for added security (i.e. can’t browse to it and view the contents if it’s in a public dir)

www.rawkstar.net

Thanks for the reply. Yeah, I have tried this, but I’m just not sure how dreamhost is set up…when I ftp in to my site, the lowest directory I can access is called “/”, in which resides my domain directory (domain.com) and a bunch of other dirs (mail, misc, streaming, etc). What is this main directory called an dhow do i reference it in my pages? My problem is that I can’t seem to reference it correctly. I have a hunch that dreamhost is set up differently from most other webhosts, becasue all the advice I have gotten so far seems not to be applicable to my site. Say I put my “db_connect.php” file in a directory (“includes”) residing in this “main” directory (one level back from domain.com), and I have index.php in domain.com including the file. What path do I use? I have tried “/includes/db_connect.php”, “/home/includes/db_connect.php”, “/home/user/includes/db_connect.php” and none seem to work. I get this php error:

Warning: open_basedir restriction in effect. File is in wrong directory in /home/.eggo/dhaworth/danielhaworth.net/music/baddudes/index.phpon line 3

Fatal error: Failed opening required ‘/home/dhaworth/includes/db_connect.inc’ (include_path=’.:/usr/local/lib/php’) in/home/.eggo/dhaworth/danielhaworth.net/music/baddudes/index.php on line 3.

Any more help would be much appreciated. Thanks!
-daniel

the error message has the directory you want…

‘/home/dhaworth/includes/db_connect.inc’

that should work… if it doesn’t try putting the .eggo/ in, annoyingly dh sometimes needs this in php paths and it can change…

www.rawkstar.net

Thanks man, the .eggo did it. Rawk on! Oh yeah, review this:

http://www.danielhaworth.net/music/baddudes/recordings.html

just remember that .eggo can change so keep an eye on it.

Review? Ok, i’ll get on of the team to do it! :smiley:

www.rawkstar.net

Hey Dan - long time no see! BTW, other users on your machine could still potentially read the file; the only good way around this is really to use PHP-cgi and have the file owned by you with 0600 or 0640 permissions.

One other trick you could try that might work would be to create a file with the db connect information (with) 0640 or 0600 permissions from a PHP script (so that the file is owned by the dhapache user). I think another user might still be able to write a PHP script to read this file, but it would be a little trickier, and our current PHP security restrictions might prevent this (Jeff or Nate - either of you know?).

does the base dir restrictions not disallow people from reading others files?

www.rawkstar.net

Hey Will! Cool, thanks for the warning. By “other users on my machine”, do you mean the server my site is on (rock)?

That’s my understanding, but I didn’t want to spread misinformation.

Yup. Generally not a big problem, but it could potentially happened if someone cared. I wouldn’t stay up at night worrying about it unless you’re storing really sensitive information in the database, though.

This should be the case, but when it comes to server security you can never be too paranoid!

  • Dallas
  • DreamHost Honcho