3

I've just had an argument with a colleaque. My index.php contains my mysql connection and therefor also the host, username, password and database name. He claims it is a security thread for the possibility exists that the php parser may fail which would cause the webserver to return the entire file as plain text. I however believe that IF the php parser would fail the webserver would give an internal server error to the users.

Can anyone confirm whether it is or is not a security risk?

thank you.

user6
  • 1,999
  • 2
  • 23
  • 29

5 Answers5

3

The short answer is no.

The long answer is yes, but only if:

  1. your server's been compromised, in which case people reading your php files are the least of your worries
  2. you've misconfigured your server to parse .php files and plain text, which would be very silly indeed.

Also, if you're using some kind of version control software, make sure your .hg or .svn or whatever folders can't be viewed from a web browser. You'd be surprised how often that happens.

EDIT:

I would be inclined to go with some of the suggestions on here already, which is what I do in my day to day development. Have a config.php file outside of your web root folder and include this in your index.php. That way you know for sure it's never going to be viewable. Btw, I've been developing in PHP for a number of years and have never had the parser fail in such a way that it's resulted in raw PHP being displayed to an end user.

EDIT 2:

If your colleague is referring to parse errors when he talks about the PHP parser "failing" then in a live environment you should have error reporting disabled anyway.

Garry Welding
  • 3,599
  • 1
  • 29
  • 46
1

Either outcome is a possibility. The normal course of action is to use require to bring in a separate file containing your db credentials. That file should be outside the webserver file tree so it can't be reached via a browser.

Andrew Leach
  • 12,945
  • 1
  • 40
  • 47
0

I'm in the belief that you can never be too safe. What's easier, replacing thousands, possibly millions of records if a hacker gets your db information, the security breach you would have to explain to your users (and possibly their lawyers depending on content and breach) or putting your db information in a separate, password protected folder and including the information on the pages you need the connection?

To me, the choice is simple.

JT Smith
  • 741
  • 4
  • 12
0

Your co-worker is correct but this is very unlikely to happen. The .php file will only be returned as plain text or as a download if PHP has stopped running on the host.

To be safer, use an include() path to the database credentials in a new folder. In that folder have a .htaccess file with 'deny from all'.

That way even if PHP stops running on the server, Apache will still run and protect all the files including the database credentials. If even apache stops running, the whole webserver will be unreachable and your credentials will still be safe.

:)

Gilly
  • 9,212
  • 5
  • 33
  • 36
0

Personally I'd put the options in a config file outside the web tree and, once uploaded, remove FTP access from that directory. It's not just a matter of whether the PHP parser fails and drops the file out as plain text BUT if the FTP server has a vulnerability that's compromised that file could be accessed by FTP as well as HTTP.

As long as Apache/PHP is running as a separate user to FTP you can still require the config file from PHP.

CD001
  • 8,332
  • 3
  • 24
  • 28