PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Oct 17, 2019 6:41 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Nov 01, 2011 2:04 pm 
Offline
Forum Newbie

Joined: Tue Nov 01, 2011 1:33 pm
Posts: 1
Hi all,

Please forgive my noobeeness, but I'm quite new to php and very new to php security.

I've just got my foundation's database to the point where it's beginning to be useful, so I'd like to start connecting it to the rest of our website, which is why I'm now on a self-study security crash course.

The first thing I read was to remove any database login information from pages that are in non-protected directories. So, I created a directory for php scripts and protected it with a .htaccess password.

Then I made a new php file called functions.php in that directory, and created a function that logs into the database. Now instead of logging into the database from php files in my website root directory, I include my functions.php file, and call the login function.

So, there I was feeling pretty pleased with myself, when it suddenly occurred to me that I was really no more secure than before. If a hacker can somehow get access to the php code in the website root directory, it will be quite obvious that a call to login() will gain access to the database, just as easily as having the password.

So my question is: should I simply make the function name less obvious, or am I going about this completely the wrong way?

Thanks in advance for any suggestions.


Top
 Profile  
 
PostPosted: Tue Nov 01, 2011 4:16 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
Well, I think first you have to define what are you trying to protect it from, how do you think people will access the code you are thinking they will access?

If you get a hacker than can end up putting an executable .php script on your server, well they will have access to anything and everything that any "legeit" script can access (included seeing files with DB login information even OUTSIDE of the web root or in webroot that is .htaccess protected.

Here is what I do, any script that is designed to be called from a web browser, it will define a constant and then call the primary include file for the system
Syntax: [ Download ] [ Hide ]
define('SYSTEM_REQUIREMENTS','CDER');
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/init.php');


In my case, SYSTEM_REQUIREMENTS is a list of modules it will include, so only what is needed is loaded. In my case, I don't have too many, so haven't run into the worry of duplicate letters.. ;-) C=cache D=Data E=Encryption R=Rendering function (ie, ones specific to HTML output)

Then in init.php, have something such as:
Syntax: [ Download ] [ Hide ]
defined('SYSTEM_REQUIREMENTS') or die ('ERR: Invalid direct call');

// System defines here, ex app name, version, define URL/PATHs to things such as admin/uploads

// Also important, define a app-wide SALT for encryption - defined here so when using on new app, only should have to adjust init.php
define ('ENC_SALT','My Salt String');

// Define Database values here. You will see why below that the login info is an array...
$aryDatabaseConnect = array(
     'server' => 'localhost',
     'user' => 'app34',
     'pass' => 'pass1234'
);
define ('DB_PREFIX','ma_'); // Prefix for all tables for the app

// This contains functions that will exist across all the app
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/functions.php');

// These are functions per section, called as needed
if (strpos(SYSTEM_REQUIREMENTS,'A')!==FALSE) {
    require_once($_SERVER['DOCUMENT_ROOT'].'/inc/api.php');
}
if (strpos(SYSTEM_REQUIREMENTS,'C')!==FALSE) {
    require_once($_SERVER['DOCUMENT_ROOT'].'/inc/cache.php');
}
if (strpos(SYSTEM_REQUIREMENTS,'D')!==FALSE) {
    require_once($_SERVER['DOCUMENT_ROOT'].'/inc/data.php');
}
if (strpos(SYSTEM_REQUIREMENTS,'E')!==FALSE) {
    require_once($_SERVER['DOCUMENT_ROOT'].'/inc/encrypt.php');
}
if (strpos(SYSTEM_REQUIREMENTS,'R')!==FALSE) {
    require_once($_SERVER['DOCUMENT_ROOT'].'/inc/render.php');
}
if (strpos(SYSTEM_REQUIREMENTS,'T')!==FALSE) {
    require_once($_SERVER['DOCUMENT_ROOT'].'/inc/template.php');
}
// By this point, if used, DB connection information will NOT be needed any longer, so prevent from accidental read
unset($aryDatabaseConnect);
 


Now in the individual files, the all start with the same first line as above, so they cannot be directly called when browsed to.

Also, in case someone through XSS can get a variable to display on the browser, $aryDatabaseConnect is already destroyed, so less likely that even if they guess the variable that contained it, should not be available.

Now, again, if they get a decent hack script on your server it will not matter what directory you put that kind of information in, within 10 minutes easily they will be accessing your database and executing what ever queries they want against it if they want to.

-Greg


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group