JohnDahl Posted August 15, 2018 Share Posted August 15, 2018 The w3schools tutorials are well written and very clear, but when I got to the MySQL database section red flags went up: https://www.w3schools.com/php/php_mysql_connect.asp specifically this code snippet: <?php $servername = "localhost"; $username = "username"; $password = "password"; yada yada yada...?> The password in plain text? Just so? Without comment or explanation? That CAN'T be right... Surely the password should be obscured somehow, correct? Aren't there security concerns here? Regardless this should be explained or commented on somewhere on that page. Today I put this php code snippet in a protected folder and used the "include" keyword to access the database, but still the password is saved in plain text. Link to comment Share on other sites More sharing options...
Ingolme Posted August 15, 2018 Share Posted August 15, 2018 The password is never sent over the internet, this is just source code of a program that only ever gets executed on the server. Link to comment Share on other sites More sharing options...
dsonesuk Posted August 15, 2018 Share Posted August 15, 2018 True the password for an example is simple text, but unless you can view that file through an actual editor, all you will ever see opening the php file with just that snippet on the server is a blank page. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 15, 2018 Share Posted August 15, 2018 The only danger there is if an attacker has access to your filesystem then they can read the contents of files like that. But if an attacker has access to your filesystem then you have bigger problems than leaking a database password. Link to comment Share on other sites More sharing options...
JohnDahl Posted August 27, 2018 Author Share Posted August 27, 2018 On 8/15/2018 at 8:17 PM, dsonesuk said: True the password for an example is simple text, but unless you can view that file through an actual editor, all you will ever see opening the php file with just that snippet on the server is a blank page. On 8/15/2018 at 9:15 PM, justsomeguy said: The only danger there is if an attacker has access to your filesystem then they can read the contents of files like that. But if an attacker has access to your filesystem then you have bigger problems than leaking a database password. OK, thank you both for replying (I never received a notification despite subscribing to the topic!??) It just seems so wrong to put a password in plain text - I was expecting something like Linux "shadow passwords" where the password is obfuscated. There do exist software packages that encrypt php code, like Zend guard, but this is overkill in my case (and expensive). Although justsomeguy (I like that name) makes a good point, it would makes sense for w3schools to explicitly point out that plain text passwords in the php file is "normal", and why this is ok. I never get warm fuzzies when I see plaintext passwords. Since the website runs on a linux platform maybe sometime later I will look into shadow passwords for that php code. If nothing else I will learn more about linux security. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now