PHP and MySQL Security

[mooeypoo]

Hi, question:

 

in order to connect to a mySQL db through PHP i need to supply username and password.

 

Is there *any* way you could think of to prevent people from downloading those php pages? 'cause i know that if they click "view source" they only get the HTML without php but I am not 100% sure that those php files CANNOT be downloaded.

 

Which actually means that if anyone downloads my php source page - i'm screwed and my DB is open to hacks.

 

 

Anyone has any ideas how to prevent that?

 

 

 

~moo

[Guest Pyro]

Nice post... but i was thinkin about it the opposite way is there any way to download someones php source

[mooeypoo]

hehehe well i guess if you find your answer i'll just have to reverse it and find mine ;p

 

Let meknow, by the way.

 

I actually think (a friend of mine said so) that php is relatively easy to download from the server - hence my fear of being "robbed" of my db.

 

anywas, hah

 

~moo

[Guest Pyro]

Me want php code O.O

[Atlantic]

php files can only be downloaded on an FTP protocol, if your FTP is password protected (should be by default) then you are ok. Your PHP interface should keep the SQL pretty secure.

 

Of course skilled hackers can break through that code through a UNIX consol lets say...but unless you have Fat Tony's billions of dollars to hide, it shouldn't happen

[Sayonara]

Atlantic is right - your PHP source can't be viewed from a browser.

 

Even if you call a PHP-only file with the HTTP protocol, the code will be executed on the server and only valid output gets returned.

 

It's one of the advantages of a server-side language

[Sayonara]

Pyro said in post # :

Nice post... but i was thinkin about it the opposite way is there any way to download someones php source

Yes - ask them for it. You'd be surprised how many coders will happily oblige.

 

Anything else is theft.

[mooeypoo]

okay kewl -- a friend of mine just happened to know a few things I wrote inside the php files code-wise so I was wondering if maybe my code wasn't very secure.

 

Probably he was just playing games with me... I'll kick his ass anyways for making me worry like that ;p

 

Thanks guys!! that was very helpful.

 

~moo

[Sayonara]

It is possible that the MIME-types on a server might be set up incorrectly. This can result in a stream of information being rendered in the browser as text and non-text characters when a file request is made, instead of being correctly handled and responded to by the server (you see this sometimes when trying to download media files from some websites).

 

This is the result of crappy server administration though, rather than an attribute of PHP itself.

[mooeypoo]

Ah. Any ways of checking that to make sure? Like check if there's a "leak" ?

[Sayonara]

If the MIME is incorrectly set up for PHP, you'll know the instant you request a PHP page.

[mooeypoo]

Ah awsome so if when I request a PHP page I get the HTML source, then the php is safe.

 

I shouldn't be afraid to put userpass inside my db params..

 

Kewl, thanks heaps Sayonara

[Sayonara]

I always keep the db connection in a separate file anyway, and include it to scripts that need it.

 

So even if someone did manage to get the code for a user-viewable page somehow, they'd not (immediately) have the db details (and hopefully not have the smarts to work out that it was almost within reach).

[mooeypoo]

Yeah I thought about it but if anyone would be smart enough to get to my php source, he wouldnt have troubles going to the other page, as you said

 

I just made another server handle username that allows only reading, so that even if anyone takes it - he's not the administrator of the Database

[mossoi]

You might want to read up on sql injection as well - this is a more immediate security problem with php pages and mySQL db's.

 

Also add error handling into your code so if there is a problem the error message won't give a chunk of source code and the db name to anybody. (This won't pass on any login details but it's still a possible risk as it may allow somebody to glean the name of you username form field for a login - this could then be used to break the security through SQL injection).

[mooeypoo]

Thanks mate, that really helped. Long time 'till I understand the ENTIRE thing but it's a start

 

thanks

[Guest kook]

watch out your backup file such as myscript.php.bak

make sure u don't upload them.

[mooeypoo]

ahh wow true , sheesh thanks!!

 

<goes to make sure>

[Dave]

There's really only two things to consider when you're considering PHP security. The first is file permissions. This usually isn't a problem, but you might want to create a directory for all your include files and make this inaccessible to the outside world with a .htaccess file (assuming you're using apache).

 

The other thing is SQL injection. Basically, make sure that whenever anyone submits any type of data and that data is subsequently used in an sql query, that you use addslashes() to properly escape the data. Otherwise some person could quite happily come along and screw your entire database over for a laugh.

 

And remember, always keep a backup of your database and source files, just in case.

[Sayonara]

Whether or not the PHP files types can be downloaded will depend on if the MIME-types on the server are set up properly. Bad MIME-types can be disastrous for PHP-based sites.

 

A common trick is to put in a MIME setting that makes the server treat any file with an .xhtml or .dhtml extension as PHP, so people looking for sites to break into will not immediately realise what server-side language is in use.

 

I'm going to experiment with that later so I'll let you know

 

 

If you are not 100% sure whether your queries are SQL-injection proof, ensure the database user that your query string includes only has SELECT permissions.

 

I only allow dB connection strings to get UPDATE, INSERT or DELETE permissions if the script involved can prove (1) the user's identity and (2) their intentions.