-1

Like most PHP developers, I include a script on every page that requires connection to the MySQL DB. The script contains the mysqli_connect function which contains the DB username and password.

What prevents someone from uploading a script on their server which requires/includes that script (eg include'www.anothersite.com/DB/connect.php'? The hacker could then make a script to update/delete/insert etc in my DB. Is the answer to upload the file in a directory before the public domain?

Sorry for such a nooby question. I'm fairly good at coding but I'm not too great at the security aspect, so I'm taking some time to learn.

Ben
  • 1
  • 3
  • 3
    See https://stackoverflow.com/questions/1158348/including-a-remote-file-in-php. Also, even if thar was on, your database shouldnt be set up to allow remote access – ADyson Apr 16 '23 at 12:43
  • 1
    More than that, I would recommend to keep all sensitive code/files/configs etc outside of the document root. If the unlikely issue would happen on the web server making it return the source instead of parsing the PHP code, no one would then be able to access it anyway. – M. Eriksson Apr 16 '23 at 14:01
  • 1
    "*Like most PHP developers*" I think most developers don't do that. You should not include your credentials in a PHP script. – Dharman Apr 16 '23 at 16:56
  • 1
    To elaborate on the above, ideally the credentials go in a config file rather than hard coded into the script – ADyson Apr 16 '23 at 17:04
  • 1
    _"What prevents someone from uploading a script on their server which requires/includes that script (eg include'www.anothersite.com/DB/connect.php'?"_ - nothing would prevent them from doing so, but what would they actually _achieve_ by that? Assuming the parsing of files with the suffix `.php` was not currently _failing_ on your server, they would only see any _output_ your script generates. They would not have access to the values of any _variables_ - same as _I_ would not, if I just requested your `www.anothersite.com/DB/connect.php` via my browser. – CBroe Apr 17 '23 at 07:28
  • But because a failure to parse PHP files of course _could_ happen at some point, the general recommendation is to store any such credential / config files outside of the document root folder - in which case, they would not be accessible via HTTP in the first place. – CBroe Apr 17 '23 at 07:29
  • Network services are just programs talking to each other. You never get direct access to other people's disk drives. – Álvaro González Apr 18 '23 at 10:57

1 Answers1

1

This is one of the reasons why most developers do not store credentials in a PHP script file. DB credentials should not be part of your code, mainly for two reasons: they are different depending on the environment, and you don't want to expose them in the version control system. DB credentials and any other environment variables should be stored in a config file outside of your document root directory. They should be inaccessible from the internet.

The problem you describe is taking advantage of the remote file includes. When including remote files (the functionality is deprecated by the way), the PHP file will be executed by the remote server and the output will be included in your PHP script. So unless you have a script that generates a valid PHP file on your server, you don't have to worry that someone will be able to hijack it. As is said in PHP manual:

This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

You would need to write code like this to be able to include it remotely:

<?php echo '<?php $thisVariableIsAvailableRemotely = 42;';

But files like "connect.php" should not be accessible from the internet as users have no use for executing them. Keep them out of your document root!

Additionally, you must ensure that your server is not accessible from outside the local network if you use localhost or local network connection. If your website connects to a remote MySQL database then you should use strong password with SSL and keep the credentials very secure.

Lastly, I would like to add that having files like "connect.php" in your project is a code smell and a rather bad design. Please consider learning good design patterns such as MVC, front controller and dependency injection. Don't write spaghetti code that people wrote 20 years ago.

Dharman
  • 30,962
  • 25
  • 85
  • 135