2 Replies - 1055 Views - Last Post: 22 September 2013 - 01:37 PM Rate Topic: -----

#1 mutago234   User is offline

  • D.I.C Regular

Reputation: 1
  • View blog
  • Posts: 260
  • Joined: 08-September 13

Securing Php and Mysql Database Credentials in Shared Host

Posted 22 September 2013 - 01:17 PM

Securing Php and Mysql Database Credentials in Shared Host

I think this is to be secured by the use environment variables to store sensitive data
(such as your database access credentials).
With Apache, I configured SetEnv directive as follows:

SetEnv DB_USER "myuser"
SetEnv DB_PASS "mypass"


and it was save in a separate file outside the root that is not readable by Apache.
In httpd.conf, I try to include this file as follows:

Include "/path/to/secured.php"

Because Apache is typically started as root,
it is able to include this file while it is reading its configuration.

For Accessibility, I use Super global array eg
<?php
 
mysql_connect('localhost', $_SERVER['DB_USER'], $_SERVER['DB_PASS']);
 
?>

or

<?php
$db = new PDO (
	'mysql:host=localhost;dbname=timeline', 
	$_SERVER['DB_USER'], // username
	$_SERVER['DB_PASS'] // password
);
?>




PROBLEMS

My problem is that its not working. Please what extension name do
I have to save the file to. Is it secured.html or secured.php or secured or do
I have to set the Eviroment Variable directly inside httpd.conf files



Thank You.

Is This A Good Question/Topic? 0
  • +

Replies To: Securing Php and Mysql Database Credentials in Shared Host

#2 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4241
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Securing Php and Mysql Database Credentials in Shared Host

Posted 22 September 2013 - 01:35 PM

This is an Apache configuration thing, not PHP, HTML or any other such file format. It makes no sense to name the file in the tradition of any of them. - In reality, it doesn't matter one bit what you name the file, or what extension you give it, because Apache will simply read it as text and interpret it as it would any other included configuration file.

As for why it's not working. Did you restart the Apache server after updating the httpd.conf file? This kind of configuration is loaded at startup, and won't be updated without a restart.
Was This Post Helpful? 0
  • +
  • -

#3 Dormilich   User is online

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,571
  • Joined: 08-June 10

Re: Securing Php and Mysql Database Credentials in Shared Host

Posted 22 September 2013 - 01:37 PM

Quote

I have to set the Eviroment Variable directly inside httpd.conf files

why should PHP read the Apache configuration file? this would be a major security leak.

PHP $_SERVER description said:

$_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server. There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here. That said, a large number of these variables are accounted for in the CGI/1.1 specification, so you should be able to expect those.

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1