I have a web app (html5,javascript,css ..) with a connection page,
but in this page i only put the password in a JavaScript file to do the test, than i have figured out that any one who can open the google chrome console can see the password.
So i want to put the password in a distant secure file in my case webserver wamp how can i do it ?
I've read about cgi scripts but i don't know how to use it, please if you have any tutorials or an ideas like ssl or something else i'll be very thankful.
If you match a password with anything on the client side, then your application is NEVER going to be secure. You want the provided password to be matched against something which the user does not see.
Start from here to better understand differences. And then take a look here for an implementation. It uses a database backend. But you could easily replace that with file content matching. After that, most likely you'll need to work with a session to ensure authentication is enforced.
Although I do not recommend it, if you're in a hurry and don't need too much security, you can also take alook here.
Related
I'm new to this so please be gentle with me!
I have a PHP login page which connects to a MYSQL table (users) for validation
I need a username and password to initially access the table. eg:
$con = mysqli_connect('localhost','masteruser','masteruserpassword,'users');
Is it safe to keep the username and password coded in the PHP file. I'm thinking it is because the PHP file will never be 'served' only executed.
Any tips please
PHP code is executed on server So no need to worry about this.
Only processed output from the php code is delivered to the client side in form of response in html and js.
It's totally safe. But it will be much better, if you move it to config file
It's safe unless somebody reach your server.
For what it's worth, WordPress works this way. The database access credentials are in plain text in a file called wp-config.php in the installation's root directory. WordPress is probably the most widely deployed MySQL based web app there is. So you should be OK. WordPress seems to be working fine. :-)
BUT: practice defense in depth. Create a special MySQL account for your web app, and restrict its privileges to the MySQL database (or databases) your web app needs. Don't put a MySQL administrative account in there.
Also, make sure that account is restricted so attempts to connect from machines other than your web host will fail.
Thirdly, try to use a MySQL server machine that's behind a firewall, and only accessible to other machines in the same data center.
Finally, keep routine backups.
If you're using a typical commercial shared hosting service they take care of most of this for you (maybe not the backups).
That way, if somebody does manage to crack your server and look at your password, they'll have a hard time making use of it, and if they do make use of it they won't be able to damage much. If they do damage your app, you'll be able to restore it from backup.
I'm trying to create a security mechanism that only allows my application to upload files to my FTP (username and password login is not enough). To achieve this I was thinking of creating a key that is built in to the app, and before any file can be uploaded to the FTP this key has to be read and verified. If it's correct, then the file can be uploaded.
Is this something that is possible to do, and would this approach be preferred? Does anyone have any pointers on how to do this?
(note: i'm not asking for any code, just some pointers on where to start, since my searches aren't getting my anywhere)
Thanks.
if you are worried about unsecured wi-fi, etc, you can either use SFTP or tunneling over SSH e.g. with connectbot
the use of public key crypto will will make sniffing harder.
if this is too much work for the intended userbase, you could generate one time passes (like google authenticator) and upload your file with a POST form or something.
if you are afraid of the key itself getting stolen (compromised device), there is little you can do..
There's no point in reproducing an answer from another question verbatim, so I'll just post this link to it.
I have a file setup.php.
This file has the mysql username and password. Is there any method to make it unreadable or encrypt it so that even the admin can not read it, or can read it but still not know the password?
The short answer is that for practical purposes you can make it harder for them to access it but not impossible.
If someone has full access to a server filesystem (eg, with root permissions) then they can read any data off that filesystem, so they can read the code and any data files that you place on there. As the application running on that host needs to be able to use the credentials there's no effective way to prevent someone with full access to that server from reading them.
You could obfuscate them, to make it a bit harder. if you encrypt the credentials in the setup.php file and then placed a decryption algorithm and key in another php file, it would stop someone just opening the file and getting the creds, but it they could always reverse engineer that solution if they're determined enough.
Additionally if they've got full control of the server it would be possible to use a packet sniffing tool to get the credentials as they're used (unless you're encrypting them with something like SSL).
Ultimately if someone is running an application and controls the server you have to place a level of trust in them.
As an aside there's a stackexchange site at security.stackexchange.com that's a good place for questions like this.
Create a new user in MySQL and give some basic permissions for that user. Then you will have two users, your admin account and the user account with limit privileges.
You also can deny view a folder where your setup.php is located doing the same trick, create other user in your OS to limit restrictions to that folder
I have a website developed in PHP. There are 2 classes (in 2 seperate php files) that contain the siteadmin's gmail user id and password (in plain text) and database password (again in plain text). Though none of these classes are displayed on the browser ( like index.php). These files contain only php classes and no html code and the references to those plain text passwords is only through objects of those classes.
Off late, I have started to wonder if this is secure enough? I have tried my best (acting as a malicious person) to try and read the contents of the two said php files but was not able to do so. I am not very conversant with developing secure code, so not sure what should be my approach to make sure that these passwords never get exposed.
Could any one please suggest best practices to develop php code that can contain such sensitive information securely.
Put configurable items in a separate configuration file, above your public web directory
Make sure you have set correct file permissions to your files
Check your web application for local (and remote) file inclusion
Have your server up-to-date
Having your passwords at a safe spot is not the complete solution, you'll need to have your complete PHP application secure, and nobody unauthorized should be able to get root/administrator access to the server.
Firstly, I'd look at using OAuth for accessing GMail if at all possible - it means you don't have to store credentials at all, and provides some level of protection in case your server does get compromised.
I would also look at the answers to this question.
Finally, if your site is on the public internet, it's worth reading up on at least the basics of internet security, and especially securing web applications. There are all sorts of ways things can go wrong. I like the "hacking exposed" books.
Don't store passwords in files, because someone will eventually check that file into source control. Or someone will set a permission incorrectly.
Run the application with its own O/S user account
Put the passwords in an O/S environment variable for the application user (not a system environment variable)
I'm making a members area for my site and I have it already running. I authenticate members using mysql and php and this works really well.
But now problems occurs, I would like to offer members a possibility to upload files to the systems, and those files should be available ONLY to logged in members.
I know I could store those files to a database or even in a filesystem and serve them throught php, BUT this will get very heavy for the server when members upload bigger files. Those files might be even 20MB or even bigger.
I would like to let apache serve the files, but just need to find a way to automatically do the http authentication, so users wouldn't need to log in twice. I suppose it is ok to make this http authentication behind one username and password, something like when a user logs in to the php and mysql authentication, transparently at the same time javascript etc. would do that http authentication also, every member would do the http authentication with the same credentials. Of course I wouldn't want to store those http auth credentials in a javascript file, but something ajax like solution maybe would do the trick. I'm just not sure how to do this.
It seems like you are confusing authentication (where you provide some way to login) with HTTP authentication (where you specifically use the HTTP protocol to authenticate, and the browser shows a popup to the user).
You probably want the former so you can style the login page. In that case you'll have to use PHP or some scripting langauge to check that the user is logged in. fpassthru or readfile can be good solutions for some web sites; they're fast and optimised for this type of work.
If you really want to do the file handling work in the web browser and not in PHP, one solution can be to create unique, short-lived filenames. You can for example create hard links to the file in PHP using link and then redirect the user to the temporary filename. Store the hard links in a database and remove them after a short while.
Check out Using PHP/Apache to restrict access to static files (html, css, img, etc). I think the approach taken there is pretty similar to your problem.