I have a file called “db_settings.php” which looks like this…
// Database Host.
define('DB_HOST', 'localhost');
// Database User.
define('DB_USER', 'some_user');
// Database Password.
define('DB_PASSWORD', 'some_password');
// Database Name.
define('DB_NAME', 'some_database');
// Make Connection.
$dbc = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME)
OR die('Could not connect to database. Contact System Administrator.');
A while back I moved it from the web root to a directory called “outside_root” - which is obviously just that!
Then for any script that needs to connect to MySQL, I use REQUIRE “db_settings.php”
I was always under the assumption that doing this added more security, because someone from the Internet - capital “I” - could not access my database username and password.
But for some strange reason today, I am wondering if things work the way I thought?
It isn’t an assumption, it is fact. If your outside_root folder is outside of the folder being served by Apache to the public, the only way to access that folder are as follows:
Direct access to the box (via SSH or being physically there)
An injection was found on your site that permits a user to upload a PHP file and execute it, thus permitting the access to the files you’ve stored on your server.
For the second, validate ALL input from your users. Do not permit unknown file extensions or mime types. If you permit image uploads, make sure they are truly images, etc.
I have “db_settings.php” located outside of my web root with my database login credentials, and that supposedly keeps people from getting to it from the Internet.
However, since “user-profile.php” - in my web root - INCLUDES “db_settings.php” doesn’t that allow some hacker to still get the database credentials associatively?
That is what has me second guessing myself.
To be more clear, here is my current situation…
I decided to switch from mail( ) to phpMailer( ) because it is supposed to be more secure. As I am adding the code for phpMailer( ), I see that I have to give it the Username, Password, Port, etc for the Email Server on my VPS.
So I was freaked out about putting the password that I use to log in to check my email account into a PHP script in PLAINT-TEXT!!
To me, you should avoid writing down or storing passwords. Period.
Unfortunately as I found out in another thread, this apparently is a necessary evil.
So to address this, I figured I could mimic how I handled my database credentials for my email credentials, i.e. store them outside of the web root.
But the problem still seems to be that since I would INCLUDE “email_settings.php” in several scripts in my web root, that I am still basically making the Username/Password easily available to hackers…
Does that make sense, and do you have any recommendations on how to be more secure, and how to handle things like a big enterprise would - or at least on my client’s tiny budget!!
Well, I stand behind my “upload-photo.php” script. However, I do have to look closer at Apache and make sure hackers can’t upload files another way. I will have to ask advanced hosting about that.
To your other point, are you saying that as long as I prevent hackers from uploading executable files, that no one on the Internet will be able to see my database (or email server) Username/Password even though I am INCLUDING them in scripts located in my web root?
Yes with one more contingency. Are you permitting individuals to type in code and then executing that code via an eval statement? If not, you are safe.
Think http://writecodeonline.com/php/, where you can type PHP code and execute it. If you are not permitting that and you are 100% sure about your file upload script, you are fine.
What would I have to do - or not do - to allow users to enter PHP into a form and execute it?
My client’s website has lots of HTML forms where people can enter account info, or post messages or send PM’s, and I do sanitize all of the entries - in what I believe to be a reasonable approach.
I’m still not understanding what I would need to overtly do to allow someone to execute PHP on my client’s site, or if the absence of something might allow that to happen?
- could not access my database username and password.
