php,security , How to secure configuration file containing database username and password


How to secure configuration file containing database username and password

Question:

Tag: php,security

Issue

In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this:

$DAcess=new PDO("mysql:host=server;dbname=database","login","password");

I don't feel comfortable having my login data written directly into the code nor do I find it effective in case of possible changes of those data. It was recommended to me to solve this by storing those data in other text file (preferably .INI file) from which it is going to be retrieved anytime I need, for example, having file:

xampp/htdoc/EXERCISE/secret/config.ini

The problem is If any user figures out the location and name of this file, they can easily access it and its content by entering URL/HTTP request into their browser:

server(localhost)/EXERCISE/secret/config.ini

It was adviced to me by the same source the file is supposed to be forbidden from acess by those protocols. So I need to be able to acess the file with my PHP code but disallow any user to acess the directory/file on their own. How to do this?

Possible Solution

I have been roaming these pages and other similar forumses yet all results of my research with keywords such as "forbidden" were about users who lost permission unintentionally. I have also been looking for Google solution, yet Tutorials I have found were referencing to file located somewhere else in my XAMPP version and were about lines of settings not included in this file in my XAMPP version - considering I have downloaded XAMPP from official page, I should be having recent version, thus those tutorials were outdated.

It left me with no other choice but experiment on my own. After a while, I have found directory "forbidden" in directory "htdoc", have played with those files and have ended up with something looking like solution to my issue.

Specifically, I copied .htacess (obviously nameless text file with but extension) and placed its copy into to-be-forbidden directory. I changed nothing in the file but line referencing to login data storing file. I have created my own text file (nameless with but extension .ldatastore) where using copied pattern login:password I have written my own desired login data and made .htacess use this file instead of original htdoc/forbidden/.htpassw.

Since then, it seems it works. Whenever I try to acces those files with my browser on new session (browser closed and opened again, otherwise it doesn't need autentification again), it does not let me browse the directory nor look into its files (neither those which are responsible for those actions such as .htacess or those I created myself such as config.ini) unless I provide valid login data same to those in .ldatastore text file.

So why am I asking this? I feel uncomfortable doing it this way because of several reasons listed below. In case this is the only easy and possible solution, I can live with that, but in case there is much better way you would recommend, I will gladly read that, which is why I am asking for your suggestions. I was also writing this whole text to explain my case fully, provide enough data and express "I have done some research and understanding of the case before asking" so that this would not be by the rules of this page marked as "off-topic".

Reasons Why I Would Prefer Alternative Solution

  1. I feel like it is XAMPP framework dependant. That the whole module making this work is part of the framework's code while .htacess just marks the directories that should be forbidden by this module. That means I am afraid If I would release my project on proper paid server hosting with their own PHP executing software, it wouldn't work everywhere and that this is just XAMPP way to do it. Correct me If I am wrong and this is solution used widely on any PHP executioner.

  2. I was trying to understand the module's documentation located as text file in the "forbidden" directory yet it seems from the documentation this module was developed mainly to make one safe and forbidden server storing secret data accessible then by various different application on different servers rather than just forbidding secret directory (I would leave this directory to be part of my application which is major difference between my usage and by author assumed usage). Correct me If I am wrong and I misunderstood the usage.

  3. Despite the fact I cannot acces the files via browser without login data, my PHP code seems to have no problem acessing the files - I used PHP code to retrieve text from text file that should be forbidden this way and it worked (it echoed the text) with no sign of problems. Well, in the end, I certainly would like to make it work this way yet I expected even PHP code that retrieves the text would need to somehow contain login data to have access. This way it feels like anyone instead of entering the reference into browser would make their own PHP code that would acces those files from my server (which would make this act to increase security useless little bit). Correct me If I am wrong and it is not this easy.

  4. I feel paranoid that it is not safe enough solution. Correct me If I am wrong and it is totally safe and preffered solution.

Too Long, Didn't Read

Is copying and pasting and customizing .htacess file safe enough to make directory forbidden only acessible by my PHP code to retrieve data from there and is it useable on most platforms?

I have recently found in right bar of similar questions this one (How to secure database configuration file in project?), yet I am not sure whether it can be used in my case, too, and how to do so.


Answer:

As @Darkbee stated, the simplest way is to have the file outside your website root. This would be accessible on the server, but not to the public under any circumstances.

The alternative is to set the permissions to 400 on the file.

.htaccess could block access, but not blocking access to the server (which needs access) is just a long way of doing what would be simpler just using permissions.


Related:


How to pass a value from a page to another page in PHP


php
Im trying to pass a variable value from a page to another page. Im using to go to the next page and I use Session to get the value, the link variable does working but the price variable doesn't work Here's the code: index.php <?php require('connect.php'); if(!isset($_SESSION)){ session_start(); } $query...

When I click to the next page on pagination,it goes to 404 error in codeigniter


php,codeigniter,pagination
In my News.phpcontroller,i'm having the below code: public function index() { $data['title'] = 'Database Details'; $config = array(); $config['base_url'] = base_url("news/index"); $config['total_rows'] = $this->news_model->record_count(); $config['per_page'] = 5; $config['uri_segment'] = 3; //$config['use_page_numbers'] = TRUE; // $config['page_query_string'] = TRUE; $choice = $config["total_rows"] / $config["per_page"]; $config["num_links"] = round($choice); $this->pagination->initialize($config); $page =...

Unable to configure Symfony (3rd party) bundle


php,symfony2,rss
I am faily new to Symfony and I am trying to setup a third party bundle that reads RSS feeds and then insert them into database. The third party bundle I am trying to use is called rss-atom-bundle After reading the instructions I can get the RSS feeds however I...

Mixing


php
This question already has an answer here: <? ?> tags not working in php 5.3.1 5 answers I had to made some changes to an old PHP-Project (with very poor code quality...) which runs on an PHP 5.3 server. So I've downloaded the project and tried to run it...

Rewrite url not working in htaccess


php,apache,.htaccess,mod-rewrite,url-rewriting
I have website. I just want to rewrite url using .htaccess Here is the code which I want to rewrite: RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} /search_data.php\?keywords=([^&]+)&f=([^\s&]+) [NC] RewriteRule ^/search_data.php/?$ /search/%1/%2? [R=301,L,NC] this the current url http://localhost/mywbsite/search_data.php?keywords=one+piece&f=149 I want to convert this to this http://localhost/mywbsite/search/one-piece/149 I tried above code but...

Pull information from SQL database and getting login errors


php,sql,database
I am creating a very small, simple CRM for a company, they require the function to be able to view the last 25 orders via the dashboard. The orders are added via a Order-add form within the CRM. When adding the following code to the CRM I get an error:...

Trying to rewrite mysql_* to pdo


php,mysql,pdo
First of all I should say that I started to learn PDO and trying to rewrite some old mine codes. Here is one that I found on tutorial for a jquery/ajax/pdo/mysql comment system which is working. This is the mysql_* part which I'm trying to rewrite -> file submit.php which...

$http.get returns actual php script instead of running it (yeoman, grunt)


php,angularjs,pdo,gruntjs
I'm building a "simple" AngularJS app with an articles newsfeed. My articles are stored in a mysql database, and I extract them using php PDO. I used to do this using AJAX with a simple LAMP configuration (php5, mysql, apache2), and everything worked as intended. Now I'm trying to rebuild...

array and function php


php,arrays
I'm just a beginner in PHP coding. I've been reading through a tutorial, but having some trouble with basic PHP concepts. If you could help me, I'd be much obliged. I'm having trouble understanding why the following code doesn't work. <?php function sum($x, $y) { $z = $x + $y;...

Error connecting to MSSQL using PHP


php,sql-server,pdo,odbc,sqlsrv
I am receiving an error as below: PHP Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[08001]: [Microsoft][ODBC Driver 11 for SQL Server]SQL Server Network Interfaces: Connection string is not valid [87]. ' My codes are as follow: $this->link = new PDO( "sqlsrv:server=$this->serverName:$this->port;Database=$this->db", "$this->uid", "$this->pwd" ); I wish someone can enlighten...

WooCommerce: How to display Category Name in single-product.php


php,wordpress,woocommerce
How can I display the category name in single-product.php? In archive-product.php the code is: <?php woocommerce_page_title(); ?> but what could I use to show the category name in the single-product.php that belong to the category?...

How can we validate multiple fields with one validation in cakePHP 2.0?


php,cakephp
how can we check firstname and last name is unique validation in cakePHP ? record1: first name :raj last name: kumar if we enter same name in input field , it should show validation message "Record alredy Exists". i know how to validate single field validation. how to validate that...

Laravel 4.2 Sending email error


php,email,laravel,laravel-4
Hello everyone I have an error in laravel when I am sending an email. I have a form with a select tag and when I select the user and click submit I need to send him a mail after I select it. Here is my Controller method: public function store()...

How to register global variable for my Laravel application?


php,laravel,laravel-5
I have started with Laravel a few days ago, and today I just installed the vespakoen/menu that seems to be very nice, and probably will work for what I need it. Currently I have installed Laravel 5.1 on my system. The problem I currently have, is where to register my...

RecursiveIteratorIterator to fetch subdirectories


php
Currently I am working with directories through php. I am able to list subdirectories for any given directory. However, the results are not 100% what I am looking for. The below code returns subdirectories but in addition it also returns the main directory in the array. How can I only...

how to multiply two column names using codeigniter validation rule


php,codeigniter,validation
I have three columns.The product of two columns get into third column name income_amount using codeigniter validation rule.the first column is crop_quantity and the second is per_rate controller $this->form_validation->set_rules('crop_quantity', 'Crop Quantity', 'required|numeric'); $this->form_validation->set_rules('per_rate', 'Per Rate', 'required|numeric|callback_get_product'); $this->form_validation->set_rules('income_amount', 'Income Amount', 'required|numeric');...

Composer dump-autoload gives preg_match error


php,composer-php,autoload
I have Composer in my PHP project installed, and want to use the autoloader. On this page I read how the composer.json file should look like and that I should run the command dump-autoload. My composer.json file looks as follows { "require-dev":{ "phpunit/phpunit":"4.5.*", "autoload":{ "psr-0":{ "Yii\\":"yii-1.1.14.f0fee9/" } } } }...

How can I replace the white rectangle within an image using ImageMagick?


php,image-processing,imagemagick
Overview: The first picture is my original image. Here I want to replace the white rectangle shown with another image. My approach: I have created a mask image using floodfill and it looks as: Problem: Now I would like to get the distance or co-ordinates of the rectangle in the...

What are correct permissions for Linux Apache2 PHP 5.3 log file?


php,linux,apache,logging,permissions
I discovered the reason why I was not getting entries into my php_errors.log file related to permissions. Right now, I have set it to 666 (rw-rw-rw-) but surely this is a security weakness? Thus, my question. php.ini file: error_log /var/log/httpd/php_errors.log log_errors On # ls -ld /var/log /var/log/httpd /var/log/httpd/php_errors.log drwxr-xr-x 6...

Click on link next link should be display on same page


javascript,php,jquery,html,css3
I have a single page website and need to link the navigation to IDs in the page. I have three links: "About us", "Our Project", "contact". So if user clicks on "About ", the About section will be displayed, same with other links. Inside Our project there is Two buttons...

how to escape php code in echo with javascript


javascript,php
how can i escape this : var tab_mois_nb_match = <?php ".json_encode($tab_mois_nb_match)." ;?> ; I have an code error, but the arrays are generate with sussess in the conle.log, it's totally crazy. foreach($tab_bases2 as $key => $univers){ $tab_nb_match_par_user = users_nb_match($univers); $tab_mois_nb_match = mois_nb_match($univers); echo "<div id='".$univers."' ></div>"; echo "<script type='text/JavaScript'> var...

How to restrict file copying shared using Content Provider in Android?


android,security
Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Symfony 2 unable to pass entity repository to form


php,forms,symfony2,runtime-error
I have a form with a drop down and a set of checkboxes, i've used entity form field type to get the values via DB. it works with one of the entity but not with the other. i have this code seperately inside AddBadgesType there is NO AddBadges entity <?php...

Wordpress log out using URL and redirect to specify page


javascript,php,wordpress
I have one Wordpress installation . i need to log out the user without any indication user is coming from particular URL.Is it possible? My code: <?php if($_GET['logout'] == 1) { $redirect_to = current_page_url(); ?> <script> window.location.href="<?php echo wp_logout_url( $redirect_to ); ?>"; </script> <?php } ?> I am using above...

Php Mysql Query not working properly


php,mysql
I have a table name tblnetworkstatus and I have 11 columns Id issue_name affected_server affected_service issue_type priority duration status start_date end_date description I am getting id in affected_server and affected_service which I am storing in my DB, now I have three situations Either both affected_server and affected_service has been selected...

Laravel Interfaces


php,laravel,interface,namespaces
I used the following tutorial to get an idea about interfaces: http://vegibit.com/what-is-a-laravel-interface/ But I wanted to change the directory of where I am putting my interfaces to "App/Models/Interfaces". And so I did. But now I cannot get it to work anymore. Here is my code: Routes.php App::bind('CarInterface', 'Subaru'); Route::get('subaru', function()...

Time format conversion with PHP


php,time
If have the duration for a recipe in the format 1H10M (1 hour, 10 minutes) or 20M (20 minutes). I want to use the format as described in the parentheses. I've tried using strtotime() without luck. Any help would be greatly appreciated....

Why am getting this error?: Unknown column 'firstname' in 'field list'


php,database,mysqli
if(isset($_POST["submit"])) { // Details for inserting into the database $id = htmlentities($_POST["id"]); $firstname = htmlspecialchars($_POST["firstname"]); $lastname = htmlspecialchars($_POST["lastname"]); $username = htmlspecialchars($_POST["username"]); $password = htmlspecialchars($_POST["password"]); // Dealing with inserting $query = "INSERT INTO `myDatabaseForAll`.`users` (`id`, `firstname`, `lastname`, `username`, `password`) VALUES (NULL, $firstname, $lastname,$username,$password)"; $result = mysqli_query($connection,$query);...

Cant submit form


javascript,php
Basically I've got a form with 5 radio buttons. No submit button. I want the form to run when the user clicks on any of the radio buttons, so this is what I did. <input id="5" type="radio" name="star" onchange="this.form.submit();" <?php if ($row["star"] =="5") echo "checked";?> value="5"/> a querystring is required...

access the json encoded object returned by php in jquery


php,jquery,ajax,json
I want to post some data to php function by ajax, then get the encoded json object that the php function will return, then I want to get the information (keys and values) from this object, but I don't know how, here is my code: $.ajax({ url: "functions.php", dataType: "JSON",...

Include both local and server at the same time


php
I have an include statement in my program: include_once("C:/apache2.2/htdocs/AdminTool/includes/functions.php"); //include_once("/var/www/AdminTool/includes/functions.php"); I only use one at a time. In the code above I am using it for my localhost. But if I will run it on server, I have to comment the local one. Because it will cause error. Is there...

How do I display my mysql table column headers in my php/html output?


php,html,mysql,table,data
2 Questions... Scenario: I would like to query my database table via a form and then display the results that occur(if there are results) and my current situation is that it does work but it clears the form completely and leaves my to an empty page with just the results...

PHP / MySQLi: How to prevent SQL injection on INSERT (code partially working)


php,mysql,mysqli,sql-injection,sql-insert
I am new to PHP and hope someone can help me with this. I would like to store two values (an email and a password) in a MySQL db using PHP. The input is passed to the PHP page via Ajax in jQuery (through an onclick event on a website)....

Jquery parsley validate not working


javascript,php,jquery,ajax,parsley.js
if($("#dataform").parsley().isValid()){ $.ajax({ url : '<?php echo base_url();?>index.php/company/final_review?id=<?php echo $this->input->get('id'); ?>', type : 'POST', data : $("#dataform").serialize(), dataType:"json", beforeSend: function(){ $('#remarks').parsley( 'addConstraint', { minlength: 5 }); }, success : function(data){ console.log(data); } }); } This is my ajax part. The plugin is not validating the field it's submitting the form. The...

PHP Regular Expressions Counting starting consonants in a string


php,regex
I need to find out how many starting consonants a word has. The number is used later in the program. The code below does work, I am wondering if it is possible to do this with a regular expression. $mystring ="SomeStringExample"; $mystring2 =("bcdfghjklmnpqrstvwxyzABCDFGHJKLMNPQRSTWVXYZ"); $var = strspn($mystring, $mystring2); Using a regular...

mysql_real_escape_string creates \ in server only not in local


php,sql
When I use mysql_real_escape_string in my localhost and I output the result of html in a table I have no problem. But when I use it on my server it outputs even the \ This is how I use it: $_GETVARS['txtEmpNum'] = mysql_real_escape_string($_GETVARS['txtEmpNum']); $_GETVARS['txtLName'] = mysql_real_escape_string($_GETVARS['txtLName']); $_GETVARS['txtFName'] = mysql_real_escape_string($_GETVARS['txtFName']); $varSQL...

WooCommerce seems to only orderby date and not price


php,ajax,wordpress,woocommerce
I am loading in variable products via a custom WP_Query $args = array( 'post_type' => 'product', 'posts_per_page' => 100, 'product_cat' => 'beast-balls', 'orderby' => 'date', 'order' => 'desc' ); $loop = new WP_Query( $args ); if ( $loop->have_posts() ) { while ( $loop->have_posts() ) : $loop->the_post(); ?> <div class="product-node cat-beast-balls">...

php redirection working in chorme but not on firefox


php,google-chrome,mozilla
Below is my php code that caries out the redirection Code Snippet :- echo "<form action='exp_yogesh.php?id=$id' method='post'>"; echo "<td> <input type='image' name='putonline' value='$id' src='images/on_button.png' no-repeat; border:none;' alt='submit'> </td> "; echo "<td> <input type='image' name='putoffline' value='$id' src='images/off_botton.png' no-repeat; border:none;' alt='submit'> </td> "; echo "</form>"; Here's the exp_yogesh.php file <?php include 'includes/connection.php';...

Is it a good practise store the checkout steps fields in php $_SESSION?


php,session,e-commerce,checkout
I have my e-commerce site with three checkout steps, each button to continue is a POST action and redirect to the next step: if the user navigates by the checkout steps (click on the previous button for example), the form fields don´t show the data posted previously. This form fields...

Wordpress End If Statements


php,wordpress,woocommerce
Apologies, PHP is not my strongest area so this might seem super easy to others. I am trying to implement a statement to say, when there is something in my WooCommerce Cart to show the cart. If there's nothing in the cart then show nothing. The code I have so...

php include capitalization on files


php
This example works fine on my localhost (both files are included), but on my server only the second one is: <?php include('Test.php'); echo '<br/>'; include('test.php'); ?> The only difference is the caps on the second include, so I was trying to figure out how to make the caps not matter....

How to secure configuration file containing database username and password


php,security
Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

MySQL Query returning strange values


php,mysql
The query is supposed to do the following: Obtain the question and associated answers based on the identification number of the question. (In this case the identification number is called account_id. Order them so that each question (and it's appropriate answers) are lined up in order. The query: SELECT *...

How to search images by name inside a folder?


php,mysql,image
I have a MySQL table with a column "rounds" and each "rounds" has his own photos. Exemple round1 has photos from start=380 end=385. This means it has 6 photos and the name of the photos contains 380,381,382,383,384 or 385 inside. I use this PHP code to display the photos from...

How to modify CodeIgniter calendar to handle multiple events per day?


php,codeigniter,calendar
I am creating a calendar without jquery calendar plugin. I could retrieve the data which is in the database to the calendar. But when there are multiple data per day only one data comes to the calendar view. I want it to be like this when there is multiple data....

How to Match a string with the format: “20959WC-01” in php?


php,regex
i want to restrict a user to enter a value which is similar to the value "20959WC-01", means it must contains 5 integers followed by two character, a '-' and two integers, can anyone please give me a solution to sort out this problem. Thanks in advance :) ...

compare today's date with unix timestamp value in database


php,mysql
In database I am storing date value unix timestamp value for e.g.'1434952110' using time() now I am trying to compare todays value with this value as below $jobpostdate = date("Y-m-d");//today's date passing in database to compare query $sql = "SELECT jsp_title, jsp_subtitle, jsp_desc, jsp_location, jsp_date "; $sql .= "FROM js_projects...

Codeigniter PHP Mailer, Sender Info


php,email,codeigniter-2,phpmailer,contact-form
I'm using Codeigniter PHP Mailer which is hosted here: https://github.com/ivantcholakov/codeigniter-phpmailer/ and with gmail smtp it works flawless. However,using it for a standard contact form, when visitors use that contact form and send us an email, they basically send mails from our mail address to our another mail addess. When they...

Dynamically select from a dynamically generated dropdown


php,html,select,drop-down-menu
I have a dynamically generated dropdown list - list of course identifiers and names. On the basis of a variable, “assigned_course_id”, I would like to preselect the appropriate value from the dropdown list. My best attempt is as follows. Thanks in advance for your assistance. <select name="course_id" id="course_id"> <?php $assigned_course_id...