HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


plain text passwords in php.info

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#89311 (In Topic #18060)
Avatar

Fan in training

Hi,

I've found that the db_site and db_forums passwords are always stored in plain text within the info.php file. Personally I lack the knowledge about such things, but isn't that very insecure and improvable somehow? I'm thankful for any specific advice.
Back to the top
 
Posted
Rating:
#89313
Avatar

It's the only way to do it, all systems work like this. The web server needs to connect to the database, and even if it is the same server it works through a password because MySQL works on its own user system, not through the logged in unix user.

By default MySQL users can only connect from 1 IP address, the IP address for that user.

If someone has access to your server to call up MySQL through the server, and has access to read your files, you've already been hacked.

If it were me I'd design this all differently, but this is how it all works. It's the same on Windows with ASP and SQL server too, and with Java systems.

EDIT: and we can't encrypt the password with a key, because we'd need to store that key somewhere too ;).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#89316
Avatar

Fan in training

Thank you for your fast response. So correct me if I'm wrong (actually I expected it to be like that), the Master Pasword is encryptable because ocportal has the complete control over it, but for the db_site and db_forum this doesn't apply and so can't be encrypted.
Back to the top
 
Posted
Rating:
#89317
Avatar

Pretty much. ocPortal never has to know the master password – so it's not encrypted, it's hashed. When logging in it compares the hashed version of what the user types, with the hashed version of the real password, to get a match. In theory hashes are one way, so you can't convert a hash back to a password, only compare it against another hash.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#89318
Avatar

Fan in training

Allright, thank you again :)
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: