4 {{ upvoteCount | shortNum }}
4 {{ upvoteCount | shortNum }}

Securing DB connection in PHP

by TrueStory
3 replies
Guys, I am typically the one helping people who are new to PHP, but this is somewhat expert question, if someone could help me with.

I am writing a script for website that will take credit cards. I am trying to secure information as much as possible. My biggest issue is with MySQL db setup.

for example:
I have a db_setup.php file (hidden beyond root directory)

Code:
//set parameters
$dbuser = 'user';
$dbpassword = 'passwor-secret';
$dbname = 'dbname';
//connect
$link = mysql_connect('localhost', $dbuser, $dbpassword);
//destroy trivial info
unset($dbpassword);
unset($dbuser);
if (!$link) {
    die('Could not connect: ' . mysql_error());
}

$db_selected = mysql_select_db($dbname, $link);
if (!$db_selected) {
    die ('isses with DB : ' . mysql_error());
}
unset($dbname);
and this file is included in my index page

PHP Code:
require('../protected/db_setup.php'); 
Where I point to the file outside of my site root for extra protection.

THE PROBLEM:

IF, and only IF php engine on the webserver chokes and decides to dump all php files in text form (instead of interpreting), whoever is accessing that site can read all my secrets in PLAIN TEXT!!!

How would you prevent that from happening?

I wonder if you're asking, but TrueStory how often does PHP engine crashes?

Well, a hacker can forcefully pass large information to server (in file upload form or in any user input form on the site)

I want to prevent my db_setup.php from being included (but still executed) at all! Even if php engine would never crash.

Gracias!
#connection #php #securing
  • Profile picture of the author michael_gourlay
    If the server did serve the page as text, wouldn't the person viewing it just see the require statement and then be unable to fetch that page because it's not in a directory that can be served by the webserver?
    {{ DiscussionBoard.errors[5442902].message }}
    • Profile picture of the author TrueStory
      Michael,

      basically if i add

      echo "So why don't you just dump entire db here";

      to my "protected" file it echoes without a problem.

      I tested "broken" PHP engine on a server (simply turning off php. It dumped just text of index.php

      So i guess you're correct: if PHP is broken, it should not interpret this line of code:

      require('../protected/db_setup.php');
      Signature

      Your business matters only to people that matter to your business[/U][/B] - Reach them?

      {{ DiscussionBoard.errors[5442923].message }}
      • Profile picture of the author michael_gourlay
        Yeah, so just make sure there's no way to fetch the secured file and I think you are ok.
        {{ DiscussionBoard.errors[5443706].message }}

Trending Topics