You MUST move Joomla configuration in the database.

Locked
User avatar
WebMaestro
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jan 09, 2007 5:22 pm

You MUST move Joomla configuration in the database.

Post by WebMaestro » Sun Feb 22, 2009 7:00 am

Hi guys.

My name is Abdoulaye Siby aka Asiby aka WebMaestro.

You are doing an awesome job with Joomla. Keep it up.

I have be developing for Mambo and Joomla for several years now and I also do for Drupal and A2Billing. After dealing with several hacking situations involving Joomla, I have realized that there is one thing that you can add in order to improve the security.

I have noticed that it is required that the configuration file and many folders must have the 777 permission in order for Joomla to work properly on a web hosting environment. That is pretty unsafe. Also, making configuration.php read-only will negate the global configuration as it would prevent even the super administrator from modifying Joomla's global configuration on the fly.

Now, Joomla's is using class JConfig to contain all the configuration options. I suggest that you move all the configuration (except the database settings) into the database. JConfig class will look roughly like the following.

Code: Select all

<?php
class JConfig {
    /* Database Settings */
    var $tablename = "configuration";
    var $dbtype = 'mysqli';
    var $host = 'localhost';
    var $user = 'myusername';
    var $password = 'mysecret';
    var $db = 'my';
    var $dbprefix = 'jos_';

    public function __construct(){
        /**
         * Connect to the DB here or make sure that the framework does it 
         * before any configuration variable is either read or written
        **/
    }

    public function __get($var) {
            //Query: SELECT $var FROM {#__$this->tablename};
            $value = <<result of the above query>>;
            return $value;
    }

    public function __set($var, $val) {
            //Query: UPDATE {#__$this->tablename} SET $var = '$val';
    }
}


The above code does not require any change in the existing modules that access the configuration options properly. Simply accessing or setting a configuration settings will be enough. PHP will use the magic functions __get() and __set() to do the rest.

After moving the config in the DB, the configuration.php file can be permanently have a read-only permission while the admin user will still enjoy the admin interface. I understand that some changes will be required in the admin interface because it is currently reading and saving all the global configuration data in the flat file.

Cheers

A. Siby
To be successful in life, you don't need to do extraordinary things ... you need to do ordinary things extraordinarily well.

User avatar
bobbravo2
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Sun Jul 22, 2007 10:45 pm
Location: Orlando, FL
Contact:

Re: You MUST move Joomla configuration in the database.

Post by bobbravo2 » Wed Feb 25, 2009 6:16 pm

Great idea

User avatar
dattard
Joomla! Ace
Joomla! Ace
Posts: 1035
Joined: Tue Apr 11, 2006 7:29 pm
Contact:

Re: You MUST move Joomla configuration in the database.

Post by dattard » Wed Feb 25, 2009 8:34 pm

I prefer it that way it is. The "raw" configuration is done via config file, and then all parameters are in the database.

What if you need to change the database? The way it is, it is dead easy to migrate.
I have noticed that it is required that the configuration file and many folders must have the 777 permission in order for Joomla to work properly on a web hosting environment
That means the webhost you are using sucks big time and you should change it. Not a very valid excuse to move the configuration database out of the database.
https://www.collectiveray.com - We make Joomla and WordPress Easy: Tutorials, Tips and Tricks, Lots of Free Modules incl. Easy Paypal, Popin Window, Random Flash, Google AdSense, Slide Menu (dropdown), 2CO / Paypal payment, [youtube] module, and more!

User avatar
bobbravo2
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Sun Jul 22, 2007 10:45 pm
Location: Orlando, FL
Contact:

Re: You MUST move Joomla configuration in the database.

Post by bobbravo2 » Wed Feb 25, 2009 8:46 pm

If you need to change the database why not just edit it via phpMyAdmin?

mic
Joomla! Guru
Joomla! Guru
Posts: 692
Joined: Thu Aug 18, 2005 10:51 pm
Location: Austria
Contact:

Re: You MUST move Joomla configuration in the database.

Post by mic » Wed Feb 25, 2009 9:06 pm

bobbravo2 wrote:If you need to change the database why not just edit it via phpMyAdmin?
While the idea moving the config into the database is very old (was once at Mambo's time i remember), not every 'Webmaster' is a web master!
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

User avatar
bobbravo2
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Sun Jul 22, 2007 10:45 pm
Location: Orlando, FL
Contact:

Re: You MUST move Joomla configuration in the database.

Post by bobbravo2 » Wed Feb 25, 2009 9:30 pm

righty right right...okay I've been convinced as to the utility of configuration.php as a flatfile database

User avatar
WebMaestro
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jan 09, 2007 5:22 pm

Re: You MUST move Joomla configuration in the database.

Post by WebMaestro » Thu Feb 26, 2009 5:21 pm

dattard wrote:I prefer it that way it is. The "raw" configuration is done via config file, and then all parameters are in the database.

What if you need to change the database? The way it is, it is dead easy to migrate.
Seriously, do you really don't know what to do when it comes time to change the database?. For crying out loud, the entire content of the web site is sitting in a database. If that should be a problem, then I guess that we will be screwed. :eek: . Come on, think outside the box and really think about it. If you really need to change the DB, then DUMP everything and import it in the new DB.

The only things that should be kept inside configuration.php are the configuration options that will never and should never be changed from the Admin interface (db username, db password, db port, db host, and maybe a few others). After doing that, the other options can be considered as Site "Parameters" and moved in a DB. You said that you wanted the "raw" configuration is done via config file, and then all parameters are in the database. Then that's my idea also. The only difference is that you want the entire list of configuration options to stay in the flat file while being editable from the Admin UI.

I haven't personally seen a single web hosting company that let's you modify configuration.php when its permission is set to 755 which the expected behavior. It's easy to say that the web hosting company sucks. But suggesting that we should just avoid them does not fix this security risk.

I don't know what you guys really think about this, but I thought it was a common sense thing. The current way to go does not make any sense to me anymore.

Cheers

Abdoulaye Siby
To be successful in life, you don't need to do extraordinary things ... you need to do ordinary things extraordinarily well.

User avatar
bobbravo2
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Sun Jul 22, 2007 10:45 pm
Location: Orlando, FL
Contact:

Re: You MUST move Joomla configuration in the database.

Post by bobbravo2 » Thu Feb 26, 2009 6:06 pm

Would you mind posting what you'd leave in the current configuration.php file?

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: You MUST move Joomla configuration in the database.

Post by Tonie » Thu Feb 26, 2009 6:12 pm

For configuration.php, the easiest is to make sure that the owner of that file is your FTP user which you can always do, regardless of hosting party. Set the permissions to 755. If you need to change something, set it temporarily to 777, make the change and change it back to 755. This is safer than having the Apache user ownership on the file.

User avatar
dattard
Joomla! Ace
Joomla! Ace
Posts: 1035
Joined: Tue Apr 11, 2006 7:29 pm
Contact:

Re: You MUST move Joomla configuration in the database.

Post by dattard » Fri Feb 27, 2009 6:17 pm

The only things that should be kept inside configuration.php are the configuration options that will never and should never be changed from the Admin interface (db username, db password, db port, db host, and maybe a few others). After doing that, the other options can be considered as Site "Parameters" and moved in a DB. You said that you wanted the "raw" configuration is done via config file, and then all parameters are in the database. Then that's my idea also. The only difference is that you want the entire list of configuration options to stay in the flat file while being editable from the Admin UI.
Agreed here. DB connect stuff should be kept outside the db :)

Rest of the stuff can go into the database itself ...
https://www.collectiveray.com - We make Joomla and WordPress Easy: Tutorials, Tips and Tricks, Lots of Free Modules incl. Easy Paypal, Popin Window, Random Flash, Google AdSense, Slide Menu (dropdown), 2CO / Paypal payment, [youtube] module, and more!

User avatar
WebMaestro
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jan 09, 2007 5:22 pm

Re: You MUST move Joomla configuration in the database.

Post by WebMaestro » Fri Feb 27, 2009 7:25 pm

Yes, indeed.
Tonie wrote:For configuration.php, the easiest is to make sure that the owner of that file is your FTP user which you can always do, regardless of hosting party. Set the permissions to 755. If you need to change something, set it temporarily to 777, make the change and change it back to 755. This is safer than having the Apache user ownership on the file.
Hello Tonie, I have tried that. But the problem is that the person working on the web site is not always a "web master" as dattard mentioned it earlier. Sometimes they don't even know the ftp information and we don't want them to know it. That will make it difficult for them to change the permissions from time to time.

Cheers
To be successful in life, you don't need to do extraordinary things ... you need to do ordinary things extraordinarily well.

JeremyRReger
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 164
Joined: Wed Jul 16, 2008 4:42 pm
Location: Columbus, Ohio
Contact:

Re: You MUST move Joomla configuration in the database.

Post by JeremyRReger » Fri Feb 27, 2009 7:27 pm

bobbravo2 wrote:Would you mind posting what you'd leave in the current configuration.php file?

good question...
RomansTwelve.net - Total Web Consulting
Joomla Hidden Secrets http://www.slideshare.net/brianteeman/h ... la-secrets

User avatar
WebMaestro
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jan 09, 2007 5:22 pm

Re: You MUST move Joomla configuration in the database.

Post by WebMaestro » Fri Feb 27, 2009 9:39 pm

These ...

Code: Select all

...
/* Database Settings */
var $dbtype = 'xxxxxxx';
var $host = 'xxxxx';
var $user = 'xxxxx';
var $password = 'xxx';
var $db = 'xxxxxxx';
var $dbprefix = 'jos_';
...
To be successful in life, you don't need to do extraordinary things ... you need to do ordinary things extraordinarily well.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: You MUST move Joomla configuration in the database.

Post by brad » Fri Feb 27, 2009 9:50 pm

Run suphp (among other things), and then this will not be an issue. You will be able to edit your Joomla Global Configuration via your Joomla admin.

User avatar
WebMaestro
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jan 09, 2007 5:22 pm

Re: You MUST move Joomla configuration in the database.

Post by WebMaestro » Sun Mar 01, 2009 12:45 am

Thanks but IMHO that will be just as bad. Running suPHP sounds to me like chmoding everything to 777. If we use suPHP for executing PHP scripts with the permissions of their owners, it will mean that every single visitor will potentially have the same permissions as the owner, which will include the "write access". Bad idea. Beside, suPHP is a module. That make matters worst. It's difficult enough to convince a Web hosting company to simply turn register_globals OFF or to activate "AllowOverride". They will most likely refuse to install suPHP.

Cheers
To be successful in life, you don't need to do extraordinary things ... you need to do ordinary things extraordinarily well.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: You MUST move Joomla configuration in the database.

Post by brad » Sun Mar 01, 2009 12:57 am

The exact opposite.. suphp requires you to chmod to 644 for files and 755 for folders.

If a webhosting company doesn't offer you an appropriate service for you needs.. leave.

You may wish to read my strong feelings on the matter here:
http://community.joomla.org/team-blogs/ ... en-up.html
http://community.joomla.org/blogs/leade ... we-do.html
http://community.joomla.org/team-blogs/ ... -time.html

I have VERY strong views on this matter, as good hosting is one of the main parts of a secure website.

User avatar
WebMaestro
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jan 09, 2007 5:22 pm

Re: You MUST move Joomla configuration in the database.

Post by WebMaestro » Sun Mar 01, 2009 1:54 am

brad wrote:The exact opposite.. suphp requires you to chmod to 644 for files and 755 for folders.
Good. Thanks for the info.
brad wrote:If a webhosting company doesn't offer you an appropriate service for you needs.. leave.
The idea here is to do things in a way that will avoid closing door on opportunities. Wehn building applications should be the one building it in a way that will be compatible with already existing infrastructure. And that is not impossible. It will only make your application less popular if it require a very specific configuration on servers. It like what happening with Internet Explorer versus the other browsers. Many people will make it clear on their Web site that it is only compatible with such and such web browser. That an easy way out. They should be thinking about what they can do to be compatible with the other browser. That same approach applies here. Someone said so well that "when pointing a finger to someone else, there are 4 other fingers pointing back at you". I am not looking for an easy way out. Have you ever used Drupal (among others)? If you did, then what do you think about the setting file (or instance default.php) versus the joomla's configuration.php "security wise". If you didn't, then learn about it. It is extremely powerful in comparison to Joomla. No offense guys. I use them both extensively, and that's my opinion. And to be honest, when it comes to the things related to configuration.php, Joomla is a less portable CMS. That's the only thing that I was trying to address here. I know how to temporarily work around these issues, but the solutions will often take away the advantage of using a CMS and the user-friendliness of the whole thing.

I think that there is not much that I can add to this thread. I just wanted to send a message to the Joomla Dev team and the community at the same time. People can take it or just leave it as a background noise. Fine by me. If I find the time to do it, I will have a patch that I will simply apply to each Joomla install that I will do. The dev team members are skillful enough to be able to implement this concept. Again, I just wanted to send the message.

Thanks for you replies.

I'm out of here.

Cheers guys.
To be successful in life, you don't need to do extraordinary things ... you need to do ordinary things extraordinarily well.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: You MUST move Joomla configuration in the database.

Post by brad » Sun Mar 01, 2009 1:59 am

If you choose to drive a car knowingly with a poor safety rating, in the case of an accident, you can't blame the car. The same goes for your choice of webhost. There are many other there, there is no best web host though, only the one best for you. I'm glad you are happy with the current situation you find yourself in.

Thanks for sharing your thoughts on the matter, but security is not only a Joomla thing.. it also relies on other factors.

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3788
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: You MUST move Joomla configuration in the database.

Post by Hackwar » Fri Mar 06, 2009 12:51 pm

What do you guys think would be gained by moving the not-db-related config options to the database? In the end, it doesn't matter what you do, if you gained access to the system and have been able to read the configuration.php with the db connection settings, you will be able to change the database and do whatever you want. Also, setting a file/folder to 666/777 does not mean that automatically everybody can edit those files. you still need a security hole in your system to get in and if there is a security hole to get in, you already can edit the database and change whatever you want.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
Umbungo
Joomla! Apprentice
Joomla! Apprentice
Posts: 47
Joined: Fri Apr 11, 2008 8:11 am

Re: You MUST move Joomla configuration in the database.

Post by Umbungo » Thu Mar 12, 2009 1:33 am

Thats insane
Joomla is slow enough as it is
Why not use the site key to encript a flat file database, which in turn is only updated when database input occurs.

This would speed joomla up massivly for users on shared hosting solutions (the majority) and kill Joomlas reputation of being a slow CMS.

Alot of users don't know how to use .htaccess which helps protect from injection attacks.

Pehaps a better solution would be to make all querys pass through a filter using a few lines of code, ensuring that injection attacks fail everytime.

Appart from adding a radio button in joomla that allows you to place modules in 'all but these' locations, I can't think of anything better that Joomla desperatly needs.

Bongo
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Jan 22, 2006 11:36 am
Location: SUNDSVALL
Contact:

Re: You MUST move Joomla configuration in the database.

Post by Bongo » Thu Mar 12, 2009 10:14 am

Some could move to the DB but some cannot.

This is my real world situation:
1) I almost always develop on my own machine park and after tests and approval then I move the installation to the customers webhotel or I have a subcontractor to do that job.

2) The customers webhotels either offers access to myql thru phpadmin or on a few occassions the webhotel admins / customers IT-dept. loads the database with the database dump from my machine.

So I need to be able to set physical path, db access, live site URL, after I've loaded the final database with the content.

While it is possible to manually tweak some fields sometimes I don't even have access to the database from where I am. Shure I have the id & pass but usually the id is restricted to localhost or a machine within the webhotel NAT.

I also want to be able to set the site online/offline if the database host is down or has errors.

So I'd keep these lines which are the ones I need to reconfig whenever I move an installation from development to production to the customers webhotel / private server / whatever.


var $live_site = 'http://mydevelopmentmachine.mydomain.se/customer44';
#
var $offline_message = 'Webbplatsen är stängd för underhåll. Välkommen tillbaka senare.';
var $offline = '0';
#
var $dbtype = 'mysql';
var $host = 'mydevelopmentmysqlhost';
var $user = 'mydevelopmentuser';
var $password = 'pw';
var $db = 'mydevelopmentdatabase';
#
var $log_path = '/customers/xxx/xxx/httpd.www/logs';
var $tmp_path = '/customers/xxx/xxx/httpd.www/tmp';

User avatar
Umbungo
Joomla! Apprentice
Joomla! Apprentice
Posts: 47
Joined: Fri Apr 11, 2008 8:11 am

Re: You MUST move Joomla configuration in the database.

Post by Umbungo » Thu Mar 12, 2009 11:29 am

Hi Bongo
There are some very nice Joomla SQL extentions available that will let you manipulate the database in almost any way you like!

Hop over to here: Joomla Databse Extentions and take a peek if you haven't already :eek:

Hope this helps you out a little :)

User avatar
kurchania
Joomla! Hero
Joomla! Hero
Posts: 2070
Joined: Mon Sep 21, 2009 6:56 am
Location: indore,india
Contact:

Re: You MUST move Joomla configuration in the database.

Post by kurchania » Mon Dec 07, 2009 11:39 am

Hello All,

I want to develop a system in which we have same joomla file structure but we use different database to design Multi Vendor systems using same file but with different database. For that I try to following things:-

1. Create the database that contains all the essential parameter of configuration.php and the name of url.

assign its value at runtime in constructor. The database contain all the parameter of configuration.php and generate them at the runtime on the basis of site url.
abhijeet kurchania
The future depends on what you do today


Locked

Return to “Feature Requests - White Papers - Archived”