1

Ok , so many people are asking this question, and there are many approaches on how to make the connection to DB secure,

Now I did some googling , many suggest, putting the connection to DB code in a file outside the html_public , and to call it from there when I need to make a connection.

to be honest, am happy with what I have, though I'm not sure how secure it is,

this is how I connect to the DB:

first, I make sure all inputs are fully escaped and validated...

after , in the same page , i make the connection, for example:

mysql_connect("localhost","Admin","Password") or 
die ("DB Connection Error");
mysql_select_db("Users") or die ("DB Error");

and the rest of the code after, I close the mysql connection.

Now , It just don't feel right that the DB user info are written in the page, but how can someone (a "hacker") , get this info?

I mean , all inputs are fully escaped and validated, the users I use have very limited previleges, like select and update... only.

Is this secure?? and if not, can u please suggest a more secure way?

Thank you very much for ur help in advance :)

shady

Shady
  • 1,701
  • 2
  • 13
  • 14

3 Answers3

4

The reason you should consider putting this file outside the web root is that some hosting providers have temporarily stopped interpreting PHP from time to time (due to configuration faults, often after an update on their part). The code will then get sent in clear text and the password will be out in the wild.

Consider this directory structure, where public_html is the web root:

/include1.php
/public_html/index.php
/public_html/includes/include0.php

Now consider this index.php:

<?php
include('includes/include0.php');
do_db_work_and_serve_page_to_visitor();
?>

If the web server starts serving this file in the open, it won't take long before someone tries to download include0.php. Nobody will be able to download include1.php, however, because it's outside the web root and therefore never handled by the web server.

Emil Vikström
  • 90,431
  • 16
  • 141
  • 175
  • would it also reveal the included files? – Sebas Jun 24 '12 at 22:30
  • No, but those files could be easily found if they are inside the web root. I'll add an example to my answer in a couple of minutes. – Emil Vikström Jun 24 '12 at 22:31
  • good question, I don't think it will reveal the included files, only "include("ssss");" for example , as the php code itself isn't interpreted – Shady Jun 24 '12 at 22:33
  • aha , but then you can limit access to these files (the included ones), meaning to block direct access to these pages, am I currect? – Shady Jun 24 '12 at 22:34
  • Ok, nice example. How come we actually can include a file not handled by the server? – Sebas Jun 24 '12 at 22:43
  • oh, i see, by webserver you meant http server. Ok. But what about putting the `include1.php` file of your example in another folder than public_html, but also in a subfolder? Then the rights to be given to the php process wouldn't compromise the root of `/public_html` security – Sebas Jun 24 '12 at 22:50
  • Of course you can place include1.php in /includes/ or something other than /public_html/. It is just an example. – Emil Vikström Jun 24 '12 at 22:51
  • Ok, I kinda get the idea, though excuse me for my ignorance, but I mean, how can someone download the file? even if he knows the file name. And this question might sound very stupid, but let's say someone knew the DB user info, what can he do with them? he needs access to the server..., he can't upload or insert code to be excuted by my server, if all input by the user is well escaped and validated – Shady Jun 25 '12 at 01:08
  • Sorry for the late answer. If the attacker can get your database password he may be able to connect to it in some way or other. Shared web hosters usually have phpMyAdmin installed for example. – Emil Vikström Aug 26 '12 at 07:28
1

I've personally not heard of a hosting provider not interpreting PHP, leading to your php source code going public. I just did a quick test on this on a RHEL5-Based server without php installed, and just got back a blank page when trying to access a php document.

mysql_* functions have become deprecated with the latest releases of php, and are now moving towards mysqli, as an overall more efficient and secure solution; I'd recommend taking a look into that; http://php.net/manual/en/book.mysqli.php - there's no deprecation errors or anything of the sort yet in PHP5.4 for using plain mysql_ functions, but if you're looking to keep on top of things, take a look into mysqli.

As for a quick answer to your above question, to be honest, I'd see that method as reasonably secure. Just make sure you've got escape chars etc set up, and I don't think you'll run into any issues.

Edit: Some people have posted that in very rare cases, some providers can leak your php source code in this manner. If this is the case, my first advice would be to switch provider.. but using an include_once to load your db info from another php file/lib would be a quick workaround for this. But again, if your provider's setup does allow for leaks such as these, I would be more concerned about their security than yours.

You can have php grab your DB password from a text file stored outside of the public webspace (using fopen), but I personally don't see any real reason for doing this.

Best of luck!

  • Eoghan
Eoghan
  • 1,720
  • 2
  • 17
  • 35
  • Well, honestly, I would only consider the example given by @EmilVikstrom as such. Clearly, in my opinion, even if the chance that what he told about happens is 0.01%, the *same effect* could be produced by *something else*... Since you *know* this could be a leak, why would you not make it safe *just in case*? Sincerely, if you think that this 0.01% represents X dolars/euros, up to you to make your own calculations – Sebas Jun 24 '12 at 22:46
  • I have seen the problem of "PHP downloads due to wrong configuration" a few times when I worked as a hosting provider, not on our own servers but on the dedicated servers where the customer had root access and did maintenance themselves. – Emil Vikström Jun 24 '12 at 22:48
0

The best pratice is to use PHP PDO instead of the old mysql API.

Take a look: http://php.net/manual/en/ref.pdo-mysql.connection.php

Also, here's an interesting article: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

João Gonçalves
  • 3,903
  • 2
  • 22
  • 36