Is it unsafe to post the server-side code of your webpage/blog?

Question

I want to write a basic MVC framework and blog in PHP, and use that for my own blog. I would like to have the whole thing on github for others to play with, but it seems like posting the php, specifically database access stuff, would just make it extremely vulnerable to any number of attacks that I may not even know about.

I don't mean "oops I pushed my database user/pass to github", just that everything is visible, and I'm not a web security expert. How do I know if my database model is secure? Perhaps I am assuming it's easier than it is to attack websites?

Answer 1

Security through obscurity is no security at all.

See "Why is security through obscurity a bad idea?"

Answer 2

Any secure system is secure because it is logically sound, not because the code is kept a secret. If you do not trust yourself to write logically sound, secure code, maybe you shouldn't publish it. That doesn't make the code more secure, it just slows down attackers ever so slightly in spotting obvious defects and exploiting them. OTOH, open sourcing code and having many eyes look at the problem is the usual way to harden code. You just need to ensure you find active contributors.

Answer 3

Ignore the database configuration in your source contol and provide a .sample. Part of the installation instructions for your software is to use the .sample as a template for your user to properly configure the software.

db.conf # ignored
db.conf.sample

(Ideally, though, the database wouldn't be publically accessible.)

Answer 4

Before hosting your code online, make sure that you are excluding the configuration files (which usually includes database usernames and passwords) from your projects by adding them to your ignore list. Or replace them with sample configuration files with dummy usernames and passwords.

Github has a help document about this here.