0

I have a server running a Debian os, and I have a multitude of .php scripts located in the default apache public directory. This is definitely not the most secure way to do this, but I have a script that will execute whatever $_REQUEST["sql"] says onto mysql database. You can only query this if you have the correct password, which is compared in plain text in the script.

My question is could an attacker somehow view this script and find the password, then execute sql statements at will?

B L
  • 198
  • 3
  • 12
  • 1
    Everything is possible... – FirstOne Mar 10 '16 at 22:59
  • 1
    Viewing the script is not the only way for an attacker to discover the password. – Don't Panic Mar 10 '16 at 22:59
  • @Don'tPanic so what should I be looking out for? – B L Mar 10 '16 at 23:00
  • It's really too broad to answer here. Obviously you are concerned that this is a security risk. It is. There must be some better way to solve whatever problem you are trying to solve by having a script that will execute arbitrary SQL queries. Maybe trying to discover how to solve that problem could be a more answerable question. – Don't Panic Mar 10 '16 at 23:03
  • 2
    "I have a script that will execute whatever `$_REQUEST["sql"]`..." **QUADRUPLE NO**. Never. Ever. Do. This. If you need to expose your database, at least use a tool that's been tested like phpmyadmin. – tadman Mar 10 '16 at 23:08
  • @tadman yeah that definitely makes sense. If anything was going to be compromised, that script would definitely result in the demise of my database – B L Mar 10 '16 at 23:14
  • If you can see, it means somebody else by some way can see it. – T D Nguyen Mar 11 '16 at 01:10

1 Answers1

1

Is it possible? Sure it is, if your server is hacked, which is a real possibility. That being said, it's actually pretty normal to include credentials in PHP files (ex. Wordpress), even if it's not the most secure way possible.

What you are talking about, however, is an unnecessary security risk. In terms of authentication, you should use a one-way hash on the password so that if the PHP files are compromised, an attacker will still not be able to use them. Check out the password_hash(..) function.

Furthermore, you should never be executing SQL statements sent directly by the user. If you are going to be performing administrative tasks, use either Adminer or PhpMyAdmin. SQL statements should be generated server-side using prepared statements to escape user-input information.

Community
  • 1
  • 1
Daniel Centore
  • 3,220
  • 1
  • 18
  • 39
  • All it takes is one mistake and your PHP files are up for grabs if you reference them directly in your paths. Fetching `/index.php` if the PHP module is not loading properly will show source code. That's okay if you're using a framework where everything is properly routed and hidden, but it's disaster if you're using individual PHP endpoints for each page. – tadman Mar 11 '16 at 03:49