3

I use the following php code to connect to mysql database.

$hostname = "hostname.com";
$database = "dbtest";
$username = "admin";
$password = "pass123";
$connect = mysql_pconnect($hostname, $username, $password) or trigger_error(mysql_error(),E_USER_ERROR);
mysql_select_db($database);

This code is placed in a connection file called connect.php which is included in all php scripts that require access to database.

If a hacker gets the url of connect.php (http://www.domainname.com/connect.php), is it possible to hack my database. How can I ensure that the php connection code does not help the hacker? Or Which is the best secure way of connecting to the database?

DaveRandom
  • 87,921
  • 11
  • 154
  • 174
Sangam254
  • 3,415
  • 11
  • 33
  • 43
  • If that is the only code in that file, it poses no danger whatsoever, unless the attacker is able to inject more code to be executed, or you have `.phps` enabled for viewing source code. If you are really worried, move that file outside documentroot. The `trigger_error()` instead of `die()` is nice to see, but make sure you don't show the error text to the user. – DaveRandom Jul 27 '12 at 11:44
  • the script doesn't output anything, except the trigger_error that in shared hosting, doesn't output to user browser and usually is written to a file, so in the end the user that navigates to that URL will a get a white page. – Gntem Jul 27 '12 at 11:45
  • Is your database server available to the world? Also, see Michael's much better answer in this recent question: http://stackoverflow.com/questions/11680808/how-to-invoke-a-php-file-that-is-located-outside-public-html – Marcus Adams Jul 27 '12 at 12:27

5 Answers5

8

You should never ever have PHP files with code inside the document root of your website. The only thing in the document root should be a bootstrap file and route all requests through this. If you would have that file inside the document root of your site and for some reason the webserver doesn't parse the file it will be displayed as is.

And please, don't use mysql_* functions for new code. They are no longer maintained and the community has begun the deprecation process. See the red box? Instead you should learn about prepared statements and use either PDO or MySQLi. If you can't decide, this article will help to choose. If you care to learn, here is a good PDO tutorial.

And always use an ecrypted connection (SSL).

See this for routing examples and dispatching patterns. Basically what should happen is: all request are handled by the index.php file under document root. The index.php bootstraps everything (i.e. calls (includes)) another file outside of the document root. This file will check the URL of the request and finds out what file belongs to current URL and executes it.

Community
  • 1
  • 1
PeeHaa
  • 71,436
  • 58
  • 190
  • 262
  • 1
    /troll warning *what about wordpress*? – Michael Robinson Jul 27 '12 at 11:48
  • 4
    What about WP? Just don't use it... :-) @MichaelRobinson Have you seen the source. Oh the horror. – PeeHaa Jul 27 '12 at 11:49
  • 2
    It is the prime example of how not to do ... anything. – Michael Robinson Jul 27 '12 at 11:51
  • In my opinion, I don't like the idea of `prepared statements`, I want to decide myself what my query looks like – Richard de Wit Jul 27 '12 at 11:53
  • 6
    @GeenHenk Because it is [the summer of love](http://blog.stackoverflow.com/2012/07/kicking-off-the-summer-of-love/) I will not call you an idiot – PeeHaa Jul 27 '12 at 11:53
  • Can a sample code be given for bootstap file and routing requests through it? I have no idea how this works. – Sangam254 Jul 27 '12 at 12:26
  • 4
    @GeenHenk: then your opinion is wrong. :) Sorry, but prepared queries are pretty much security 101. Anything else is just asking for SQL injection vulnerabilities. There are plenty of places where differing opinions are great, but here, you are wrong, and you desperately need to change your mind, in much the same way as you'd be wrong if you said "In my opinion, I don't like the idea of driving in the same side of the road as everyone else", or "I don't like the idea of having to wash my hands before preparing food for my restaurant" – jalf Jul 27 '12 at 14:31
1

Typically, this should be secure regarding your config data, if the hacker only has the URL to the file and if your webserver is configured properly so that the raw source code is not revealed.

You can increase security if you place such a config file outside the web root directory.

fkerber
  • 1,032
  • 9
  • 24
1
  1. Do not use mysql_* functions.
  2. Put the file in some other place that under the directory for the document root for the web server.
  3. Configure the web server to only allow connections from a list of IP addresses.
  4. Consider using a secure connection (SSL) always and configure the database to only use SSL.
Dejan Marjanović
  • 19,244
  • 7
  • 52
  • 66
Ed Heal
  • 59,252
  • 17
  • 87
  • 127
0

Nothing will happen if anyone accesses this page.

Though mysql_* on itself is insecure.

Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
0

It's safe. You can also store the file outside DocumentRoot.

long
  • 3,692
  • 1
  • 22
  • 38