Welcome to WebmasterWorld Guest from 54.224.44.168

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

[question] How to secure database connection setup file

db set, secure db connection

     
5:46 pm on Jan 17, 2012 (gmt 0)

New User

5+ Year Member

joined:Jan 17, 2012
posts:2
votes: 0


Guys, I am typically the one helping people who are new to PHP, but this is somewhat expert question, if someone could help me with.

I am writing a script for website that will take credit cards. I am trying to secure information as much as possible. My biggest issue is with MySQL db setup.

for example:
I have a db_setup.php file (hidden beyond root directory)

PHP Code:
//set parameters
= 'db_user';
= 'super-secret-password';
= 'db-name';
//connect
= mysql_connect('localhost', , );
//destroy trivial info
unset();
unset();
if (!) {
die('Could not connect: ' . mysql_error());
}

= mysql_select_db(, );
if (!) {
die ('isses with DB : ' . mysql_error());
}
unset();
?>

and this file is included in my index page


require('../protected/db_setup.php');

Where I point to the file outside of my site root for extra protection.

THE PROBLEM:

IF, and only IF php engine on the webserver chokes and decides to dump all php files in text form (instead of interpreting), whoever is accessing that site can read all my secrets in PLAIN TEXT!

How would you prevent that from happening?

I wonder if you're asking, but TrueStory how often does PHP engine crashes?

Well, a hacker can forcefully pass large information to server (in file upload form or in any user input form on the site)

I want to prevent my db_setup.php from being included (but still executed) at all! Even if php engine would never crash.

Gracias!
5:50 pm on Jan 17, 2012 (gmt 0)

New User

5+ Year Member

joined:Jan 17, 2012
posts:2
votes: 0


guys, sorry i cannot edit above post, here is correct code


//set parameters
$dbuser = 'db_user';
$dbpassword = 'super-secret-password';
$dbname = 'dbname';
//connect
$link = mysql_connect('localhost', $dbuser, $dbpassword);
//destroy trivial info
unset($dbpassword);
unset($dbuser);
if (!$link) {
die('Could not connect: ' . mysql_error());
}

$db_selected = mysql_select_db($dbname, $link);
if (!$db_selected) {
die ('isses with DB : ' . mysql_error());
}
unset($dbname);
6:07 pm on Jan 17, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


IF, and only IF php engine on the webserver chokes and decides to dump all php files in text form (instead of interpreting), whoever is accessing that site can read all my secrets in PLAIN TEXT!


This is why db_setup.php is above the web root. All the end user will see is the require() statement itself....
require('../protected/db_setup.php');


db_setup.php will still be inaccessbile. This is the 'extra protection' you mention.
8:28 pm on Jan 17, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 30, 2007
posts:1394
votes: 0


Well it's not only the php engine. Even if that's the case the folder where the config file with passwords is stored, should be protected from the server script (like .htaccess) so http access is not allowed. I prefer it over the relevant back paths which have environment dependencies.

Another thing there should be also a db switch from your host's cpanel you could use it to restrict remote database connections.

in file upload form or in any user input form on the site

They don't need an input field present on your site or a form to do that, they can upload whatever. It's what your code does in these cases.
12:01 am on Jan 18, 2012 (gmt 0)

New User

5+ Year Member

joined:Dec 26, 2011
posts: 11
votes: 0


In response to 'a hacker can forcefully pass large information to server (in file upload form or in any user input form on the site)' enigma1 is correct in saying 'It's what your code does in these cases'.

... my suggestion is that you limit the size of the data input or upload:

examples
text form object: maxlength='nnn'
file upload script from [php.net...]

MAX_FILE_SIZE must precede the file input field
input type="hidden" name="MAX_FILE_SIZE" value="30000"

Check EVERY possible form input field and restrict the field data size on both sides - on the form and in the form processing.