0

I am doing a CRUD project, I have my database connectivity parameters saved in a file called conn.php its code is given below

<?php

$conn = @mysql_connect('127.0.0.1','root','');
if (!$conn) {
    die('Could not connect: ' . mysql_error());
}
mysql_select_db('mt', $conn);
?>

I am linking this file wherever I need database connectivity using the include function like this

<?php
include 'conn.php';
?>

But I am just wondering if this is not a security breach, I mean anyone can write their code and just include that connectivity file and then be able to operate on my database.

How do I stop this? I know not using the conn.php and writing the database connectivity code into each and every php page that needs to work with the database can solve this, but then there is the problem that if I ever need to change the database connectivity parameters then I will have to change those in each and every file that needs to work with the database, and that is not feasible, as I might end up having hundreds of such files. So what is the way around this?

Phil
  • 157,677
  • 23
  • 242
  • 245
Rick Roy
  • 1,656
  • 2
  • 21
  • 47
  • Maybe set special permissions on conn.php so only root access? – Sterling Archer Sep 03 '13 at 04:29
  • When you say *"anyone can write their code and just include that connectivity file"*, what do you mean? Only scripts on the same host that have access to that file have a hope of using it in an `include`. If you're on a shared host, you would hope that each user was appropriately separated / sandboxed. – Phil Sep 03 '13 at 04:33
  • Also, the MySQL extension has been deprecated. Read [this](http://stackoverflow.com/questions/13944956/the-mysql-extension-is-deprecated-and-will-be-removed-in-the-future-use-mysqli) and stop using it **right now** – Phil Sep 03 '13 at 04:35
  • @Class PHP Source code files are *not* included via web, hence even If they are web accessible no one can just simply call them like that and get the source or the resources – Hanky Panky Sep 03 '13 at 04:36
  • Did any answers here help you? If so, don't forget to mark the most helpful one as accepted. – m59 Mar 22 '15 at 16:48

2 Answers2

0

There is a lot that can be said on this subject. You have to keep in mind that technically these files are meant to be used by people, of course! That's what a person is doing when they visit your site - using your files! What you want to avoid is allowing them to use them maliciously. For example, you need to be sure that you use prepared statements when making database queries. You can also prevent direct use of some files (though it doesn't really make a difference) by setting a constant or variable in the parent file, then checking that that is set in all other files that will be included.

People can't just "write code" and use your server files however they want to unless you have your file permissions set waaaay wrong, lol. The major content managers have the information you are talking about stored right at the content manager's root, in the public folder.

This is an example of what some content manager's do just as an extra layer of security (but as I said, it is trivial...)

main file:

define('EXEC', 1);

included files:

<?php defined('EXEC') or die('Restricted access.');

The reason I call this trivial is that direct access of a file shouldn't be a security problem at all. In fact, it may be a nice thing to do for debugging. If the file does contain a security breach, at least it would have to be manipulated via the parent, which could slow down the attack.

m59
  • 43,214
  • 14
  • 119
  • 136
  • that would be a way in linux based hosts but as you can see this is running on a wamp server, and i have no way of setting up permissions or at least i dont know if it is possible to setup permissions in windows environment. – Rick Roy Sep 03 '13 at 04:34
  • @RickRoy No-one can *see this is running on a wamp server* as you have not included that information anywhere. Also, this answer does not mention any platform-specific solutions. – Phil Sep 03 '13 at 04:38
  • see the other comments on your post. I don't know what your hosting circumstance is, but I promise you people ought not be allowed to write/change any file on your server. If that is the case, you are in a very bad situation and need to get that fixed. Nonetheless, if possible, putting the file outside the public folder is not a bad way to go...just not necessary. – m59 Sep 03 '13 at 04:39
0

Avoid usage of functions like mysql_*, it's deprecated after PHP version 5.1. In this method you need create object with class and that object can be used anywhere

You should use PDO or mysqli instead of these

If it is in PDO just prepare() and execute() your sql query. Easy and secure.

PHP.net:

http://www.php.net/manual/en/book.pdo.php

http://php.net/manual/en/book.mysqli.php

and nettuts+: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

Geo V L
  • 866
  • 8
  • 25
  • well I will start using the PDO from now, but I was wondering couldn't we restrict the access to the file to a particular domain? Like check the page trying to include the conn.php file and see if it is from my domain, if not do a die(); won't that work? – Rick Roy Sep 03 '13 at 06:05