0

I am designing a small website, that makes queries to a SQL database system, without using any CMS. What is the safest way to store the SQL authentication parameters, using a global $PASSWORD seems quite unsafe (having for instance shellshock-like security loopholes in mind). Is it safer to use define("PASSWORD","password") ?

Is this second method safer if one writes

define("SOMEOBFUSCATEDANDVERYLONGCONSTANTNAME","password");

If I use one of these methods, is it worth encrypting "password" and passing the crypt parameters with another method ? Any explanations and suggestions welcome !

Tom-Tom
  • 107
  • 6
  • 2
    why would `$password` be more unsafe than `define()` ? – Azrael Oct 03 '14 at 08:03
  • If hackers are able to read your memory for the password you have bigger problems than the fact that your DB password is unencrypted as your PHP is running. – h2ooooooo Oct 03 '14 at 08:05
  • 1
    The question is illogical. Global variables or constants defined in the global scope has exactly the same scope - the global one. Why would you need to access a password variable for the SQL globally? – Repox Oct 03 '14 at 08:05
  • There may be a case to be made for constants being "safer" because they cannot suffer from things like register_globals. However, it will make very little difference in practice and I can't really think of any "attack" scenario one could construct here one way or the other. – deceze Oct 03 '14 at 08:08
  • It's neither here nor there. Even encrypting the password is pointless because your PHP application has to then decrypt it again. At some point, the password has to be provided and that will always be the weak link. – John Reid Oct 03 '14 at 08:10
  • @Repox. Thanks for your comment. I believe your answer about the scope partly answers my question. Is it safer to hard-encode the password everywhere it should be used, then ? – Tom-Tom Oct 03 '14 at 09:01
  • @deceze. Thanks for your comment. That's quite reassuring, even though there are always surprises concerning security, epsecially this year ! – Tom-Tom Oct 03 '14 at 09:02
  • @JohnReid. That was my concern. Is there a safe way to use this password ? – Tom-Tom Oct 03 '14 at 09:02
  • @Azrael. A global variable is mutable, `define` only builds constants. The C-preprocessor also uses `#define`, the remplacements are made before the code is send to the compiler. This is a complete different behaviour, that is why I have asked the question because I don't know (and didn't find) how the PHP interpretor works in details. – Tom-Tom Oct 03 '14 at 11:52
  • 1
    There are many suggestions here: http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php. Problem remains though - at some point you have to pass the details to mysql. The best you can do is secure the DB from outside access and use a restricted user. – John Reid Oct 03 '14 at 14:11

1 Answers1

0

is it safer to use global or define and why?

The answer is no according to me.because it reaches from a local to global scope.We should need to reply anything outside when we call the function.

The second thing is that using global means the function is dependend to the other scope..This can mess the things up

Please have a look here for a detailed explanation

Community
  • 1
  • 1
Avinash Babu
  • 6,171
  • 3
  • 21
  • 26
  • Thank you for your comment and the link. I actually use global variables as few as I can do. But PHP defines some globals like `$SERVER`, `$_GLOBALS`, `$_POST`, `$_GET`, etc. So it seems they cannot be completely avoided. Besides this remark, your answer seems to contradict @Repox's comment to my question about the scopes. – Tom-Tom Oct 03 '14 at 11:08