: Security: Hide mysql connection details file Ok, so I know this must be a very basic question, but my problem is the following: I have developed my first PHP mini-app (so I'm fairly new to
Ok, so I know this must be a very basic question, but my problem is the following: I have developed my first PHP mini-app (so I'm fairly new to this) and I am pretty sure that there are two files of my web application that should be somehow protected from prying eyes
the one with the details to connect to the db
the one with the password hashing and the salt key
How should I go about protecting them? I have read somewhere that they should be put somewhere above my public directory, but then how will the app be able to access them? Should I change something in my apache config so that the Document Root is different than something else?
Any other things I should consider in terms of security? So far I am escaping every user field that goes into the db with mysql_real_escape_string(), but apart from that and hashing and salting the passwords, I'm not doing anything else.
More posts by @Shanna517
1 Comments
Sorted by latest first Latest Oldest Best
Without knowing more about your app or seeing some real code it is hard to give any detailed security advice. That being said here are some things that come to mind after reading your post:
1: Keep your config file with the database connect info and salt key outside the public directory and chmod it to 444 or 644. You can access one directory above your script by doing something like this <?php include('../config.php'); ?>
2: Escaping any info going into a database should always be done, but consider switching to mysqli since mysql_real_escape_string is deprecated as of PHP 5.5.0, and will be removed in the future.
3: I have no idea what your auth system looks like, but make sure you aren't storing important data like passwords in cookies. This goes back to my first point of it being impossible to give good advice without seeing your code but there are lots of articles, tutorials, and pre-built solutions for securing user authentication - stackoverflow.com/questions/1624846/php-best-practices-for-user-authentication-and-password-security
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.