4

I've made a simple web page for business clients that operates on MySQL database used mainly by our B2C Prestashop based e-shop. We're using shared hosting. This website is mostly based on jQuery jTable (jtable.org) and is meant to show current, approximate stock of products.

I've used jQuery jTable 'starter pack' and created a simple front-end view for our partners. It looks more or less like the one in jTable tutorial:

        $(document).ready(function () {

        //Prepare jTable
        $('#PeopleTableContainer').jtable({
            title: 'Product Availability',
            actions: {
                listAction: 'someconfigfile.php?action=list',
            },
            fields: {
                column1: {
                    title: 'column1',
                    width: '70%',
                    key: true
                },
                column2: {
                    title: 'column2',
                    width: '30%'
                }
            }
        });

        //Load person list from server
        $('#PeopleTableContainer').jtable('load');

    });

As I only want to show data I have in MySQL database, I've prepared read-only user and I'm using his credentials to access database. As seen in jQuery script, I'm accessing database through someconfigfile.php and 'list' action.

The someconfigfile.php includes MySQL connection string and also my SQL query for populating the table in front-end view. What I want to do for security purposes is to put someconfigfile.php in directory above my public_html folder. Folder containing HTML, PHP and CSS files for front-end will stay below public_html.

My question is:

  • Will my password be accessible by anyone if I put it above public_html? My whole front-end code is this jQuery jTable above.
  • Am I vulnerable to SQL Injection if I only get data with mysql_fetch_assoc($result) and then print json_encode of the array()? User cannot enter any data here.

Edit: Please also note that from jTable CRUD functions I've only left Read option. Create, Update and Delete options have been removed.

mwilczynski
  • 3,062
  • 1
  • 17
  • 27
  • 1
    _“Will my password be accessible by anyone if I put it above public_html?”_ – you mean anyone sharing the server with you, or “outsiders” accessing resources via HTTP? The latter should be impossible (if the web server is configured correctly, i.e. public_html is the web root), whereas the former depends on the configuration your hoster is running. – CBroe Feb 12 '14 at 15:13
  • I meant web access, that is by HTTP. I have no access to server configuration as it's shared hosting, so I won't bother myself with things I can't change. How about vulnerability of JavaScript above? – mwilczynski Feb 12 '14 at 16:33

2 Answers2

1

The password will be stored in your php files and therefore not accessible through a HTTP request even if those files are located under public_html file.

Being on a shared host expose you to the possibility that someone using the same hosting server might be able to get access to your files but I assume your hosting company did everything they have to do in order to restrict access to files intra-customers.

That said, you still need to protect your html files with a password, otherwise anyone would be able to gain access to your database information.

Matteo Galli
  • 56
  • 1
  • 4
  • AFAIK if their PHP will mess up, go down and so on, the .php file will show what it contains (I use .php file for both configuration and index file). If it's above webroot and or protected by .htaccess rule, it should be fine I think. – mwilczynski Feb 14 '14 at 18:49
  • Of course it's not the best best practice but since he has to deal with only one public directory on a shared webhosting there's nothing much he can do. Even protecting the whole thing with an .htaccess is not enough, what if the hosting company messes up with the .htaccess as well? And even if the password is exposed the mysql server will probably allow connections from localhost or restricted IPs. – Matteo Galli Feb 14 '14 at 21:13
  • I have access to one directory above webroot. It means that it shouldn't expose data that .php file contains as it's not accessible through HTTP request (or at least should not be). – mwilczynski Feb 15 '14 at 07:38
1

I'm not sure how this works really as I haven't tried it, but learned about it the other day so I thought I'd share.

With GoDaddy, you can point your primary domain name at a sub-directory, therefore creating a new document root before it, so to speak. This may not be the case for other hosts but worth checking.

For example, create a new directory called 'application' in your root directory, upload your application's files there and point your primary domain there (You may need to remove the domain name first and then add it again with the specified directory). You can then include files - your database credentials for example - from before your new document root, which is now not available to the public but available to your application.

NEW STRUCTURE

DB Credentials:

/home/www/html/someSite/dbCredentials.php

Your Website (where primary domain is now pointed):

/home/www/html/someSite/application/index.php

EXAMPLE:

In dbCredentials.php add your credentials:

<?php
$strHostName = “10.10.10.10”; 
$strDbName = “dbname”;
$strUserName = “dbuser”;  
$strPassword = “xxx***xxx”;
?>

On your web page, include the file and use variables as normal:

<?php
require_once ('/home/www/html/someSite/dbCredentials.php');
$db_found = new PDO("mysql:host=$strHostName..........);
?>

SOURCE:

http://support.godaddy.com/help/article/4175/specifying-a-new-default-document-root-on-your-hosting-account?pc_split_value=4&countrysite=uk

If you try it, let me know how it goes.

TheCarver
  • 19,391
  • 25
  • 99
  • 149