Results 1 to 17 of 17

Thread: php

  1. #1
    Join Date
    Dec 2013
    Posts
    150

    php

    Hi,

    If I have mysql connection details (host,db,user,password) in a php file (dbconnection.php) is it possible for someone to view it or hack from it?

    If so what's a way to hide or mask it?

    Another question if I put the file outside public_html with permissions on it and maybe a password and link to it from the login page would that be more secure?

    Cheers

  2. #2
    Join Date
    May 2014
    Location
    UK / USA (California)
    Posts
    105
    You can make the file inaccessible from a web browser by adding to the .htaccess files these rules:

    <Files "dbconnection.php">
    deny from all
    </Files>

    The file still can be included in your scripts and adding the .htaccess rule above will not disable your database connections.

  3. #3
    You also want to check local permissions on the file. Make sure it's not world readable.
    █ Ceniks LLC
    █ Offering VPS Hosting, Colocation, and Dedicated Servers
    http://www.ceniks.com
    █ OpenVZ/KVM Servers @ http://www.ceniks.com - Enterprise level OpenVZ/KVM VPS

  4. #4
    Join Date
    Jun 2010
    Location
    US / UK / SG / IN
    Posts
    83
    If I have mysql connection details (host,db,user,password) in a php file (dbconnection.php) is it possible for someone to view it or hack from it?
    This is how all opensource applications/cms out there save db connection info, i.e. save it in a .php file. Of course, you need to make sure that the permissions are proper. If you are so concerned about the mysql connection details in that file, maybe you should encode it using Ioncube.

  5. #5
    Quote Originally Posted by Server Adminz View Post
    If you are so concerned about the mysql connection details in that file, maybe you should encode it using Ioncube.
    I wouldn't bother with that. Just set the permissions to 600 on the file & you'll be good to go.
    █ Ceniks LLC
    █ Offering VPS Hosting, Colocation, and Dedicated Servers
    http://www.ceniks.com
    █ OpenVZ/KVM Servers @ http://www.ceniks.com - Enterprise level OpenVZ/KVM VPS

  6. #6
    We can't access database connection with HTML.

  7. #7
    Join Date
    Apr 2014
    Posts
    264
    Quote Originally Posted by joshaidan View Post
    We can't access database connection with HTML.
    Yes that's true.

  8. #8
    Unless there is errors in your file or if someone can download your PHP file, there really is no way to get the source code. Now if someone has access to your server, that is a different problem.

    In most cases, and in most frameworks, config files are protected, or in a protected directory, so users can't navigate there or anything.

    But again, just visiting dbconnection.php will only bring up a blank page, and you really shouldn't have any issues if you do nothing. Best practice would be to protect it using .htaccess or place it outside of the public/html directory.
    Managed Service Provider - www.OpticIP.com
    Public & Private Cloud
    Solutions | SSD SANs | High IOP's | CDN Solutions
    Phoenix/Chandler AZ Colocation | 48U Cabinets | Data Halls | TIA-942 Tier 4 Facility

  9. #9
    The concept of PHP is that the code is executed server-side.
    This means that by nature, the front-end user is unable to see the source code.

    As Tim pointed out, the only possible way to access that information would be to download that page via SSH or FTP.

  10. #10
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Quote Originally Posted by TimOpticIP View Post
    Unless there is errors in your file or if someone can download your PHP file, there really is no way to get the source code.
    The risk is that at some time in the future, typically after a failed recompilation of PHP, the webserver may be restarted misconfigured in such a way that it fails to parse PHP files. It's not a common thing but it can and does happen. Even protecting the file through directives in .htaccess could fail if the server's set up to ignore .htaccess, although the combination of misconfigurations makes this a very remote possibility.

    Ultimately IMO the best method of protecting config files is simply to place them outside the public web directory but .htaccess protection is a reasonable alternative.

    In any event, as already stated, if the attacker gets access to the account through ftp, ssh or an exploit on any PHP script then it's game over.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  11. #11
    Join Date
    Jun 2014
    Posts
    1
    When compared to other options like .ini files, xml files its always better to keep the config data in a php file. Since by default if you have configured php in apache it will only execute but will not show the data as a text output. But other file formats do. To make it secure, you can keep the file from direct access to public_html and provide a link to it from another secure path. Also make sure that you only have execute permission on the file.

  12. #12
    Like others said, it is not readable from HTML side. However, you should always consider "What if someone is able to reach file itself." In this case, encoding the file with ioncube would be good extra security.

  13. #13

    nope

    Through php none can access your files unless you have not created an well encrypted password(assuming your files are reachable through some sort of permission). Not to mention the security holes leaking through your hosting provider through the server.

  14. #14
    Most Content Management Systems (WP, Joomla, etc) keep information such as this in a php file. It is safe behind the file and folder permissions and cannot be seen through direct access. Although nothing is impervious, it is normally safe.

    Think of it like your wallet laying on your kitchen table. It is safe by normal standards, but accessible should someone gain access to your house. If you need extra security keep it in a safe (or use ioncube for your code).
    [B]Scott M

  15. #15
    Join Date
    Mar 2014
    Location
    Prague
    Posts
    132
    Set up your SQL to accept connections only from IP of your webserver (or 127.0.0.1 if both SQL and webserver live on the same server)

  16. #16
    Join Date
    Nov 2012
    Posts
    74
    Quote Originally Posted by scott_m View Post
    Most Content Management Systems (WP, Joomla, etc) keep information such as this in a php file. It is safe behind the file and folder permissions and cannot be seen through direct access. Although nothing is impervious, it is normally safe.

    Think of it like your wallet laying on your kitchen table. It is safe by normal standards, but accessible should someone gain access to your house. If you need extra security keep it in a safe (or use ioncube for your code).
    There's no real need for that. Plus ioncube is hackable. There's free apps online that can decrypt it.

    even if you encrypt your file it don't make it bullet proof from hackers.

    I myself don't encrypt my stuff on my server and it's because it makes files heavier then needed and takes more time to process.

    The hackers cannot easily hack your servers. Just make sure you keep your servers up to date.

  17. #17
    Easy method is to do not give permission to that file, make it hidden for all except admin

Similar Threads

  1. Replies: 33
    Last Post: 07-25-2011, 01:01 PM
  2. PHP: Custom WHMCS billing gateway or PHP script - API included
    By omega36 in forum Employment / Job Offers
    Replies: 1
    Last Post: 11-29-2007, 03:01 PM
  3. php safe_mode on and /usr/lib/php/DB.php error - pear
    By nand in forum Hosting Security and Technology
    Replies: 1
    Last Post: 05-03-2005, 02:44 AM
  4. [For sale] Interspire WebEdit Pro PHP and SendStudio 2004 PHP
    By Arlanda in forum Other Offers & Requests
    Replies: 1
    Last Post: 01-25-2005, 03:13 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •