Results 1 to 11 of 11
  1. #1

    How do you secure your website's database information from hackers?

    Is simply having the appropriate permissions on the files with your database information good enough or are there other measures you can take to secure your database information? I normally use PHP websites so this info is usually in the configuration file.

  2. #2
    Join Date
    Jul 2008
    Location
    France
    Posts
    105
    all depends what srt of dbases we are talking about

  3. #3
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    To secure your site, begin by removing all php scripts.

    Sorry, but that's my best advice.
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

  4. #4
    Join Date
    Jul 2008
    Location
    San Bruno, CA. / Brazil
    Posts
    40
    Hello,

    if you have any php file that have some confidential datas, i suggest you to use some encryption program like zend to encrypt your files. So, you have to check your file permission too (CHMOD Linux).

    Regards,

  5. #5
    Join Date
    Jul 2008
    Location
    France
    Posts
    105
    Quote Originally Posted by Luxore View Post
    To secure your site, begin by removing all php scripts.

    Sorry, but that's my best advice.
    lol thats an 'interesting' approach, secure the website by removing it!

    for mysql its simple, only allow localhost connections, ensure the root and any user passwords are very secure, and make sure all software version (httpd, php, mysql-server) are up to date.
    For mssql, ensure the dbase files are outside of the webroot directories.
    For sqlite, make sure the dbase files are again outside of the webroot directory, i.e. outside of the www or public_html folder but still within the users account folders.
    Once again make sure all passowrds are secure and all software is up to date. This will be enough to keep the wrong ppl out.

  6. #6
    Join Date
    Dec 2005
    Posts
    3,110
    Pretty much what everyone has mentioned but my suggestions are:

    Block external access to MySQL, at your Firewall too is a good idea
    Keep MySQL Updated
    Keep your Scripts Updated
    Check File Permissions
    Run scripts as their own user with SUPHP/PHPSuexec

  7. #7
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    Quote Originally Posted by Chris E View Post
    Pretty much what everyone has mentioned but my suggestions are:

    Block external access to MySQL, at your Firewall too is a good idea
    Keep MySQL Updated
    Keep your Scripts Updated
    Check File Permissions
    Run scripts as their own user with SUPHP/PHPSuexec
    Bingo - also you could go crazy and host the MySQL server on a different server so if someone got access to your machine they couldn't simply wipe out /var (or wherever MySQL databases may be) - the issue is if someone actually gets shell access to your server they still can do almost anything to your database :-\.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  8. #8
    Join Date
    Jul 2008
    Location
    San Bruno, CA. / Brazil
    Posts
    40
    I suggest you to use md5 in passwords fields into your MySQL Databases too.

  9. #9
    So basically using "localhost" instead of your actual server address is more secure? If that's true I just learned something new.

  10. #10
    If your on shared hosting localhost connections can be intercepted, I personal use MySQL sockets but sockets on a shared server are no safer then tcp. MD5 for passwords is a must!
    If you can edit apache's config i recommend mod_security to have at least some protection and to be really safe suhosin for php is another thing to look at but i am not sure about its effectiveness.

    Block dl,exec,passthru,proc_open,proc_close,shell_exec,system,curl_exec,curl_multi_exec,parse_ini_file,show_source
    in incase of remote code vulnerabilities if you really want to got that far. Even farter would be locking php down with base_dir and safe_mode but that will break 90% of all php applications.

    Securing the temp directory with things like noexec may save you the time later if it comes to that.

    Firewall and protect SSH FTP and MySQL access.

    Some servers are configured so you can chmod to 700.

    Keeping php apps upto date shouldn't even have to be said.

    You have to secure the server itself before you secure anything else.

  11. #11
    If you purchase "shared" hosting from a company like Godaddy.com, do they automatically secure the server for you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •