0

I'm using 000webhost site to host a database that I access from my android app. I've created a php script like this

<?php
    $connection = mysqli_connect("localhost", "my_user", "my_password", "my_db");
...

When I run it, it says it can't connect "Access denied for user 'my_user'@'localhost' (using password: YES)". This is the same syntax the tutorial I watched used. They are using the same site.

But if I give real values to the parameters 

<?php
    $connection = mysqli_connect("mysql1.000webhost.com", "a80023423_as22", "abc222", "a80023423_as22");

it works.

If someone types my URL in the address bar, they can access all my php files and so goes my passwords and all the data needed to make a connection to the db. I went through some blogs and sites and even some answers in stack but couldn't figure it out how to mask these values.

If there's any tips you can give? Or a link to an already posted answer?

fusion3k
  • 11,568
  • 4
  • 25
  • 47
Padmal
  • 458
  • 5
  • 15
  • 4
    Regular visitors can't see source code of php files, they see only output which is generated by these files. – Roman Nazarkin Apr 03 '16 at 14:54
  • You shouldn't access your database from your android app, that's a huge problem with security. Instead you should use json or xml or something as a way to retrieve the information, and some rest api to receive the information from the other side, check this framework or similars http://www.slimframework.com/ – Saikios Apr 03 '16 at 14:54
  • Can't they decode the .php file? Also I'm wondering why "my_user" is not working as "a80023423_as22" do – Padmal Apr 03 '16 at 14:59
  • 1
    no, they can't decode a php file, they can decode an android app because they have the code, but php is protected by the server – Saikios Apr 03 '16 at 15:00
  • Hmm then I guess there's no potential threat in anyone knowing db details. But is there a way to mask them? Like accessing the default values like in the first code snippet? – Padmal Apr 03 '16 at 15:03
  • You might have php error reporting set too high. – Torchify Apr 03 '16 at 15:05
  • On PHP-side generate json objects from your database (with website logic) and on Android-side, get it with Retrofit (or another lib). Whatever you put "localhost", your db host is "mysql1.000webhost.com", you could replace it with variable filled from another file or a configuration file. – Loenix Apr 03 '16 at 15:06
  • But in that case @Leonix there is a file with actual password and user details in the web. Can't we access the default values which server holds? – Padmal Apr 03 '16 at 15:08
  • Can you confirm php error reporting level by echoing `error_reporting()`? – Torchify Apr 03 '16 at 15:09
  • I put an echo in to the code like you said and It says 6135 – Padmal Apr 03 '16 at 15:19
  • @Blogger posted an answer, you need to use .htaccess file to hide the listing of php script files in your website when someone types your website url. Also turn off error reporting so that users don't see errors. – shivgre Apr 03 '16 at 17:10
  • @RyanVincent I tried "$my_password" as well as $my_password. Both giving the error "Access denied for user 'a8002476_padmal'@'10.1.1.9' (using password: NO)". Earlier it was "Using password: YES" – Padmal Apr 04 '16 at 00:40
  • I hope that is not your actual username and password on the second bit of code. – Torchify Apr 04 '16 at 17:42

1 Answers1

0

Your php ini is set to E_ALL & ~E_NOTICE with the display_errors ini directive set to 1. This is why its printing the failed mysqli request as plain text. This may be desirable in a testing environment but definitely not in production.

If you can edit your php.ini file then you can set the display_errors directive to 0.

If you cannot change the ini file, you need to include this code at the top of your script: 

error_reporting(E_ALL);
ini_set("display_errors", 0);

This will prevent errors like the failed mysql login from being shown to your users. It is safe to have the actual username and password inside the php file.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Torchify
  • 134
  • 7