MYSQL and PHP

Hi,

First off i'm not a PHP programmer but I would like to
know the following: 

Is it standard to use INC files to store MYSQL db
connections settings (username and password)? 

What else could you do to make this "safer" ?

I presume Apache looks for files with extention
"*.INC" and does not processes them, right ?

Thanks you

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection
around 
http://mail.yahoo.com 

------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

Hi,

It is unsafe to store any PHP code in .inc files, due to
default Apache 
configuration. By default, web server will not process them
with PHP but 
output to browser as plain text.

The solution widely used for this situation is to store PHP 
configuration files in .inc.php files, because fully working
Apache + 
PHP will process this file through PHP Preprocessor and will
not display 
plain text but will output formatted HTML.

--
Hostas.lt
Klientų aptarnavimas
http://www.hostas.lt




John Madden wrote:
> Hi,
>
> First off i'm not a PHP programmer but I would like to
> know the following: 
>
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)? 
>
> What else could you do to make this "safer"
?
>
> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right
?
>
> Thanks you
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around 
> http://mail.yahoo.com 
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web
application security 
> assessment by leading market research firm.
Watchfire's AppScan is the 
> industry's first and leading web application security
testing suite, and 
> the only solution to provide comprehensive remediation
tasks at every 
> level of the application. See for yourself. 
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
>
------------------------------------------------------------
--------------
>
>   


------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

On 5/15/06, John Madden <chiwawa999yahoo.com> wrote:
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)?

Yes, it is very common.


> What else could you do to make this "safer"
?

If done correctly, there's nothing wrong (imo) with using
an include
file. "Correctly" generally means at least the
following:

   - the include file is in a directory that is *not*
accessable to
the web server
   - the file has permissions at the file system lever such
that only
the appropriate user(s) are able to read it (on a unix box I
typically
set them to `chmod 0750` where the group is the webserver
group and
the user is set to the owner of the file ... and arguably
the
executable bit is not even needed for the owner)

PHP is file system aware, so files which are included do not
need to
be in a directory the web server is serving to the internet.
This is
one reason why putting db login and other sensitive
information in one
(rather than in the script which is being executed by the
server and
displayed to the browser) is a good idea.


> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right
?

IIRC, by default apache will server anything it is not
configured for
(or able to determine using the mime-magic module) with a
mime type
"text/plain". This would mean that the .inc file
is likely to be
served up as a plain text file if it is in a web accessable
directory.

One practice I've seen is to name the file
<foo>.inc.php which forces
the script to be passed to PHP for parsing. This may help
(presuming
PHP is correctly installed and configured for the server),
but it is
much better to simply not allow the web server to serve up
the include
file to the browser (I tend to do both things).

--
Jason Ross
GPG key: 0xF80C38B6

------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

On May 15, 2006, at 2:07 PM, John Madden wrote:

> Hi,
>
> First off i'm not a PHP programmer but I would like to
> know the following:
>
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)?
>
> What else could you do to make this "safer"
?
>
> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right
?
>
> Thanks you

Hi-

No, Apache, by default will treat inc files as plain text
and hand  
them to the browser.  If I need to have files that are web
accessible  
and included, I use the php extension to force them to be
processed.

Kevin
---------------------
BASE Project Lead
http://so
urceforge.net/projects/secureideas
http://base.secureideas.n
et
The next step in IDS analysis!



------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

no. End them in .php

If someone knows the filename, they could view it.

You could also write an htaccess file to not allow remote
users see .inc files.

On 5/15/06, John Madden <chiwawa999yahoo.com> wrote:
> Hi,
>
> First off i'm not a PHP programmer but I would like to
> know the following:
>
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)?
>
> What else could you do to make this "safer"
?
>
> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right
?
>
> Thanks you
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web
application security
> assessment by leading market research firm.
Watchfire's AppScan is the
> industry's first and leading web application security
testing suite, and
> the only solution to provide comprehensive remediation
tasks at every
> level of the application. See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
>
------------------------------------------------------------
--------------
>
>

------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

John -

This is common practice in PHP - it isn't the best way to
do things, but it is
common.

If you can't get application changes made to better protect
the authentication
information, at least make sure the include files aren't
readable by the
world. It is common for developers to use some alternate
file extension, such
as INC, and then forget to map it to php in the Apache
config file - thus, an
attacker can often read the file by simply requesting it.
The only "defense"
is the obscurity of the filename. A simply script can make
repeated requests
with variations on the filename. (ie, in your browser, try
http://<s
ite>/<filename.inc> and see if it dump the
source to the browser.)

In the httpd.conf - make sure you have a line like:

AddType application/x-httpd-php  .inc

This will cause apache to run the .inc file through the PHP
interpreter rather
than returning the text back to the browser.

Another method I strongly encourage is to use the excellent
mod_security
package (http://www.modsecurity.org
) and use it's filtering engine to block
requests for such files - after all, since they are only
includes, they should
never be requested directly.

Of course, one should also get the code updated and have it
read and encrypted
file and decrypt the credentials.


Gerald Quakenbush
Author of 'Web Hacker Boot Camp'
http://www.quakenbush.com



John Madden (chiwawa999yahoo.com) wrote:
>
> Hi,
>
> First off i'm not a PHP programmer but I would like to
> know the following:
>
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)?
>
> What else could you do to make this "safer"
?
>
> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right
?
>
> Thanks you
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web
application security
> assessment by leading market research firm.
Watchfire's AppScan is the
> industry's first and leading web application security
testing suite, and
> the only solution to provide comprehensive remediation
tasks at every
> level of the application. See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
>
------------------------------------------------------------
--------------
>
>


------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

Name your files "*.inc.php" to prevent apache
from displaying them.  As 
added security, keep them out of the web root and access
them using 
absolute paths (ie., if your webroot is
/home/web/public_html/, store 
your includes in /home/web/includes).  If you must have your
files below 
your webroot, make sure to use an .htaccess file to prevent
access to 
the directory directly.  Combine these three tactics and you
should be 
in good shape.

For server-level security in shared hosting environments, if
your web 
host supports some sort of accelerator such as eaccelerator,
ioncube, or 
zend encoder, encode your DB login information PHP files
using that. 
And, as always, proper file ownership and permissions
(user:apache, 640) 
are of primary importance.

- Todd

John Madden wrote:
> Hi,
> 
> First off i'm not a PHP programmer but I would like to
> know the following: 
> 
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)? 
> 
> What else could you do to make this "safer"
?
> 
> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right
?
> 
> Thanks you
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around 
> http://mail.yahoo.com 
> 
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
> 
> Watchfire named worldwide market share leader in web
application security 
> assessment by leading market research firm.
Watchfire's AppScan is the 
> industry's first and leading web application security
testing suite, and 
> the only solution to provide comprehensive remediation
tasks at every 
> level of the application. See for yourself. 
> Download a Free Trial of AppScan 6.0 today!
> 
> https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
>
------------------------------------------------------------
--------------
> 
> 


------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

Hi
I put all my constants in a single include file, this helps
when
uploading sites as you can put the whole site up excluding
this one
file and not worry about losing settings.

By default apache will send .inc files out without parsing
them. If
you want to get it parsed and also label that its an include
file you
can call it .inc.php rather than just .inc. You could also
modify the
apache conf file to get it to parse the .inc files as .php
which can
be a bit tricky if you are not hosting the site yourself.

Robin

On 5/15/06, John Madden <chiwawa999yahoo.com> wrote:
> Hi,
>
> First off i'm not a PHP programmer but I would like to
> know the following:
>
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)?
>
> What else could you do to make this "safer"
?
>
> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right
?
>
> Thanks you
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web
application security
> assessment by leading market research firm.
Watchfire's AppScan is the
> industry's first and leading web application security
testing suite, and
> the only solution to provide comprehensive remediation
tasks at every
> level of the application. See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
>
------------------------------------------------------------
--------------
>
>

------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

That is one of the most wrong assumptions.

Most apache configuration see .INC as plain/text. Which
means if you 
have your db settings in there anybody can read them by just
pointing 
the browser at them.

The best approach is to use a simple .php file that is not
in your 
document root so not accessible from outside.

Even if you don't put it outside of your document root it
will still be 
parsed as PHP. And as long as you don't print out your
sensitive data it 
should never reach the browser.

John Madden wrote:
> Hi,
>
> First off i'm not a PHP programmer but I would like to
> know the following: 
>
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)? 
>
> What else could you do to make this "safer"
?
>
> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right
?
>
> Thanks you
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around 
> http://mail.yahoo.com 
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web
application security 
> assessment by leading market research firm.
Watchfire's AppScan is the 
> industry's first and leading web application security
testing suite, and 
> the only solution to provide comprehensive remediation
tasks at every 
> level of the application. See for yourself. 
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
>
------------------------------------------------------------
--------------
>
>
>
>   


------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

John Madden <chiwawa999yahoo.com> wrote on
05/15/2006 12:07:57 PM:

> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)? 
> 
> What else could you do to make this "safer"
?

Summarizing the responses so far, four approaches to this
problem have 
been offered:

1. Make include files parseable as PHP, through a
combination of filename 
extension and httpd.conf.
2. Deny requests on include files, through a combination of
filename 
extension and httpd.conf.
3. Locate include files outside document root.
4. Use the mod_security package.

One potential issue with #1, seldom mentioned, is that
include files may 
then be executed out of context. You will have to be the
judge if that is 
a problem for each of your include files.

Any solution through httpd.conf (or other configuration)
relies on the 
"perfectability of man": the configuration must
be re-created when the 
server is rebuilt, the new trainee takes over, etc. I have
personally seen 
this approach fail when the configuration was not carried
along during a 
version upgrade.

I will cast my vote for #3, when it is possible to do so.
Chris Shiflett 
[Essential PHP Security] also recommends this as the primary
approach.

Kirk


------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------