Another good idea is to have your password .php3
file OUTSIDE the http server root, and do include() or
require().
> -----Original Message-----
> From: Thimble Smith [SMTP:tim@stripped]
> Sent: Thursday, February 17, 2000 12:00 AM
> To: mark@stripped
> Cc: mysql@stripped
> Subject: Re: Comments on security.
>
> On Thu, Feb 17, 2000 at 11:41:10AM +1030, Mark Ferraretto wrote:
> >I don't use MySQL security. This is because it can't provide row-level
> >security and can be bypassed using a client that's not mine.
> >
> >So, access to the database is through a single mysql user who has
> complete
> >rights to the database.
>
> In a way you do use MySQL security, since you're restricting access to
> only one user. :) But you're not using MySQL for row-level security,
> because it isn't offered.
>
> >The username and password are stored as cookies through the browser. If
> >the cookies don't exist (or have expired), a login screen is displayed.
> >
> >How does this look? The mysql user and password exist in plain text in a
> >.php file. Can this ever be retrieved by a user or will apache always
> >generate the html when it sees that it's a php file?
>
> As Van said, SSL would be good, so that the user and password (even the
> encrypted password) aren't visible on the wire. That plain text file on
> your server can of course be retrieved if you grant someone access by
> some method. If you mess up your Apache config some time, for example,
> or somehow allow someone to read arbitrary files on your machine, etc.
> But you can prevent those things by being very sensitive about how you
> program and how you do things.
>
> If you have Apache set up right, it will always process your php files
> before serving them to the client.
>
> >What are the security implications of using cookies? I have the
> plaintext
> >username in one cookie and the mysql-encrypted password in another.
> >Neither cookie is called 'user' or 'password' or something like that.
> >I've kept the names cryptic.
>
> You might try using rot13 to encrypt your data. Seriously, though, I
> don't put much stock in security via obscurity. It'd be better to use
> SSL if you're worried about someone reading cookie info that's passed
> on the wire. The implications of using cookies are the same as passing
> data in a form, so if you wouldn't put the data in a form element, then
> don't put it into a cookie.
>
> Tim
> --
> Tim Smith < tim@stripped > :MySQL Development Team: Boone, NC USA.
