[thelist] MySQL, PHP, and passwords

Richard Harb rharb at earthling.net
Tue Feb 22 12:28:49 CST 2005


-----Original Message-----
From: Bernardo Escalona
Sent: Tuesday, February 22, 2005, 6:29:29 PM
> Fellow web developers:

> I recently started to learn about MySQL and how to use PHP to interact
> with MySQL databases.

> Most of the tutorials agree that the way to access your database from
> php is more or less the following:

> $user="username";
> $password="password";
> mysql_connect(localhost,$user,$password);

> Which requires you to actually type your MySQL password right on the
> php file in cleartext.

> Now, i know php files are evaluated server-side and only html is
> returned to the browser client-side, but it still seems kind of
> strange to me.

> Is this how its done? Is it safe? Are php files themselves safe from
> anyone who doesnt have ftp or shell access to the web server?

There's no way around it.

It really depends on the quality of the rest of the code whether or not this
storing the username / password in variables might be a problem.

You can also unset() those variables as soon as the connection has been created.
After the initial connect you usually do not need the user credentials any
longer.

Depending on the application you could also create a mySQL user for your PHP
site that has the minimum level of permissions: Limit which databases and tables
that user has access to ...


> On a side question, but also on a similar topic: if i want to store
> usernames and passwords in a table of my MySQL database, can i be sure
> this information is safe? Do i need to encrypt the password fields of
> the table in some way? Note that i dont work for a bank or the
> pentagon, but reasonable security would still be good.

I store the usernames in plain text and passwords encrypted. If you use MD5 for
example you can hash the password and just compare the hashed values. There's
usually no need to have them in plain text (Just be sure to have some method of
resetting the password in the application).

So even if your database should be compromised that information wouldn't be of
too much value.

Personally I am a little suspicious of sites that offer 'secret questions'.
And after answering those correctly the passwords gets sent to you - in plain
text. That means that the password has to be stored in plain text somehow ...

HTH
Richard


> Thank you and sorry for the many questions.

> Berns
> -- 
> ___________________________________________
> Bernardo Escalona Espinosa
> tel: 56 22 85 23
> cel: 55 18 56 74 73
> http://www.bernsonline.com/



More information about the thelist mailing list