How to conceal userid/passwords in php classes

Fri Sep 19 00:30:24 UTC 2008

On Tue, Sep 16, 2008 at 07:06:10PM -0700, Don Russell wrote:
> 
>    I have some php classes I use for accessing mySQL databases on
>    localhost.
>    Somewhere in there, I have the mySQL userid/password so the php script
>    can access the data.
>    What is the normal practice for concealing that type of information?
>    Keeping classes in /usr/share/php seems to imply they need to be "world
>    readable", especially if they are going to be used by CLI scripts as
>    well as web page scripts.
>    This is on my home machine, it's not like I'm trying to protect a
>    million credit card numbers or anything like that. But, I am interested
>    in being "security aware"...
>    Thanks for any tips/pointers.

If you want to get it close to right to look at what the ssh and sshd folk do.

In general the last thing you want to do is add pass words to your php.

Next to last but better is placing them in a file that has read
permissions by only 'you' but not by apache or any process that might
be hacked.  Better to have the mySQL data base info and pass words in a
startup config file establish a connection to the data base then having
read those bits do a setuid/setgid transition to a safe account that cannot
read or write them.   One advantage of using files is that  the same
code can be reused say in the case of multiple hosted customers.

Better yet is to have the application prompt for the keys one time...
The user can then use a small handful of tricks to mouse cut and paste
them on to the prompt including a good personal memory.   One trick is to have
encripted keys on a USB key that can be removed.   See also something like 
password safe.

   http://www.schneier.com/blog/archives/2005/06/password_safe.html

Do a bit of homework and isolate any authentication stuff in
your code to a single file so you can fix it and audit it.  php
has a bad track record...  use caution.  Some of the public examples 
in the early days of php are badly flawed.   Webalizer is one historic
bad example to search the web and change logs.

-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?