Secure Passwords

[Kasracer]

I have a PHP script that connects to a database, downlaods some data and closes the connection.

However, my username and apssword for the database is right in my source code.

I was told you can use MD5 but I wasn't able to figure out how to use it exactly without having the password somewhere within the the source code.

So my question is, is there any secure way to connect ot a mysql database without including the actual plain text password into the source?

[morrowasted]

umm its not like the user can see your PHP scripts anyway...

[Kasracer]

Originally posted by morrowasted
umm its not like the user can see your PHP scripts anyway...

While everything sent to the user gets parsed(sp?), there are ways around it.

[techgnome]

if the pasword you want to encrypt is the password to the DB for the connection... then MD5 is not the way to go. MD5 is a ONE WAY encryption method. What you may want to consider it writting your own encryption method of some kind to scramble the passsword, then un-do it when you want to connect to the DB.

If what you are doing is encrypting a password to be stored in the DB, then MD5 can work. It works like this: User enters their password (this would be like when they are signing up), encrypt it using MD5 and store the result in the database. Then when ever the user loggs in, they type their password in, it gets encrypted using MD5 then you can use that result to compare against the stored value (which was previously encrypted using MD5)....

[techgnome]

if you want simple encryption.... try looking up the following functions: base64_decode and base64_encode

[Chroder]

Originally posted by kasracer
While everything sent to the user gets parsed(sp?), there are ways around it.

Umm, no. The script gets parsed on the server side and the PHP source never reaches the client's computer. Unless there is some sort of mistake in your code (security wise) then you needn't worry.

[morrowasted]

Originally posted by Chroder
Umm, no. The script gets parsed on the server side and the PHP source never reaches the client's computer. Unless there is some sort of mistake in your code (security wise) then you needn't worry.

my thoughts exactly.

even if you use a downloader, you get a parsed HTML File.

I dont think its possible to get the PHP code form a server.

[TomGibbons]

Originally posted by morrowasted
my thoughts exactly.

even if you use a downloader, you get a parsed HTML File.

I dont think its possible to get the PHP code form a server.

Other than FTP anyway I don't know of any other ways either

[Chroder]

Unless you name your file something other then what the server is expecting to parse, like global.inc.

[The Hobo]

Unless your server is setup wrong, then what they are saying is correct.

If your server isn't setup to parse .php files, then it will give the code.

Otherwise you have nothing to worry about.

[Brandito]

There is another post where this was talked about:
http://www.vbforums.com/showthread.p...hreadid=251732

The answer is yes. Store it in another php file and include that file. Where the password was in your db connect command... replace it with the variable that holds your password in the other file. This way you can give people your source and they will not be able to see your pw because you will not give them the file that has it!

This is also useful because ever once and a while some one will find a bug that will let them see your .php source (which would compromise your db).

Storing the password in the database is also good (as stated above by someone). Just make sure that it is not open to SQL Injection attacks. You can read more about those types of attack by going to the link above. If you are interested in how they work.. my site changed so you will have to go here to dl the texts and proof of concept code:
www.umr.edu/~bmpfg8

But I would recommend pw encryption... but of course it is not worth a crap if you do not emplement it correctly.

Hope that helps,
Brandon

PS: sorry for all the spelling errors... too lazy to spell check

[The Hobo]

Brandito, you realize you were answering the wrong question on that thread, right?

He wanted to know about encrypting user passwords in his database. Which is far different hiding the password to initially connect to the database.

Edit: Well, I take that back, you went on to answer the right question later. I still don't understand why you said the first part, though...

[Brandito]

Hobo, I guess I do not understand what you are saying. What part did I not answer correctly? I am confused. I reread THIS post and my answers where right on... I reread the linked post... and it was right on. Telling me what excatly I did not answer would clear this up for me. On both accounts I didn't read anything saying "inside the database" password encryption. Where are you getting this? I am not going to copy past a quote of their questions and line them up to my answers... so either you see something I don't or you've been ran over by the short bus. : )

l8r,
brandito

[The Hobo]

Wow, you're not the slightest bit rude. Did you happen to read the last line of my post above, where I went on to say that you DID answer the question, but at first you answered a question that wasn't asked?

The original poster of the OTHER thread asked this:

Why would I want to use encryption on the user's passwords, such as MD5? Would this be solely to provide my users with a sense of personal security from the script's host?

To which, you at first, replied:

You should keep user name, password, database stuff all stored in a seperate file so if you give out your code you don't have to worry about people seeing that information. (Stored in Variables)

Which has nothing to do with user's passwords being encrypted in the database.

While it is good advice, it wasn't part of his question. So that's like me asking you what a good brand of dog food is, and you telling me that it's a good idea to let my dog outside a few times a day so he doesn't piss all over my carpet.

Do you understand now, or am I going to have to be insulted again?

[The Hobo]

And, further more, you said in THIS thread:

There is another post where this was talked about :
http://www.vbforums.com/showthread....threadid=251732

Which is wrong. The linked thread talks about encrypting passwords that are IN the database, not securing passwords that ACCESS the database.

You just happened to make a random comment about passwords to access the database.

Do you see where I'm coming from?

[Brandito]

I am not trying to flame on this forum but your comment on me being rude is like the pot calling the kettle black. Take what I wrote how ever you want, I just thought I would let someone know about what is out there. I am sorry if I led someone astray becuase you obviously like busting my chops about it.

The reason I talked about putting it into a seperate file was because of this

So my question is, is there any secure way to connect ot a mysql database without including the actual plain text password into the source

And how you can do that is by... putting it in a seperate file!

"And, further more..." I am here to talk about security, not argue over petty s***.

Brandito

[The Hobo]

Originally posted by Brandito
I am not trying to flame on this forum but your comment on me being rude is like the pot calling the kettle black.

Are you trying to imply that I was being rude? I just scanned the thread and don't see it. If you could kindly point me where...

Originally posted by Brandito
Take what I wrote how ever you want, I just thought I would let someone know about what is out there. I am sorry if I led someone astray becuase you obviously like busting my chops about it.

I was pointing out that you answered the wrong question and that your thread the supposidly deals with THIS thread's question doesn't.

What's the problem with that? I didn't say "hey idiot!", I was nice about it...

Originally posted by Brandito
The reason I talked about putting it into a seperate file was because of this


And how you can do that is by... putting it in a seperate file!

Yes, for THIS thread. In that thread you were posting the answer to the wrong question.

Originally posted by Brandito
"And, further more..." I am here to talk about security, not argue over petty s***.

Then why are you still arguing? I made a comment about what you said because I was confused. I wasn't rude in stating it either.

You then come and imply that I'm stupid? Right.

[techgnome]

Originally posted by Brandito
The reason I talked about putting it into a seperate file was because of this

And how you can do that is by... putting it in a seperate file!

Brandito

It is still in plain text though.... all you've done is simply move it to another file.... I don't think the issue was in the distribution of the files, but rather simply having the data encrypted somehow.....
----
The Hobo -
Brandito -

[The Hobo]

Originally posted by techgnome
The Hobo -
Brandito -

I can't. They give me rashes in unnice places.

[phpman]

Originally posted by Brandito
Storing the password in the database is also good (as stated above by someone). Just make sure that it is not open to SQL Injection attacks. You can read more about those types of attack by going to the link above. If you are interested in how they work.. my site changed so you will have to go here to dl the texts and proof of concept code:
www.umr.edu/~bmpfg8

how can you store a password in the database you can't connect to because the password is in the database.

[techgnome]

Originally posted by The Hobo
I can't. They give me rashes in unnice places.

You know they have a creame for that now......

[The Hobo]

Originally posted by techgnome
You know they have a creame for that now......

The ladies don't like it when I have rash-cream-flavored junk. Ya know?