database user/pass protection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

database user/pass protection

Post by Pyrite »

So a thought just occured to me, if someone hacked into my webserver, and looked at my config.php file and got the user/pass for my MySQL server, they could basically have my database no matter where it resided (locally or on another server). Is there any way for me to protect the config where the user/pass is stored from physical intrusion?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

no, user accounts on mysql are associated with the host:

ex: burrito@localhost or burrito@66.217.54.69

they could however get to it while they were on your machine and create such an account 8O

best practice: keep people from hacking into your web server :?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If your config file is safe, databases can limit access to localhost.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Burrito wrote:no, user accounts on mysql are associated with the host
Not always. It depends on the setting and configuration of mysql. You *can* set an account to all hosts. (burrito@all)

Also, on some hosts, you cant connect remotely, while on others, you can.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

Roja wrote:Not always. It depends on the setting and configuration of mysql. You *can* set an account to all hosts. (burrito@all)
is that NOT associated with a host? In that case "all"? My point was the likelyhood of someone who has their username and password running queries against the database remotely is not very high as a username has to be tied to a host. Sure if they were on the machine locally they could create an account "Roja@all" but then they could also create an account "Roja@66.217.49.67" etc.

I don't think anyone (at least anyone with any sense) would puposely create an account "Roja@all"...if they would, they have bigger fish to fry than the topic of this thread.

I did read the article Tim suggested and it looks like a viable option (create env vars for the un and pass and call them from the $_SERVER[] array...wonder if there's an IIS alternative?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Burrito wrote: is that NOT associated with a host?
Nope. its associated with *all* hosts. Definite difference.
Burrito wrote: In that case "all"? My point was the likelyhood of someone who has their username and password running queries against the database remotely is not very high as a username has to be tied to a host.
And my point was that it is high - because a username doesnt have to be tied to a host - it can be open to any host.
Burrito wrote: I don't think anyone (at least anyone with any sense) would puposely create an account "Roja@all"...if they would, they have bigger fish to fry than the topic of this thread.
Last I checked, creating a new db user in BOTH webmin AND cpanel does exactly that. Considering that that covers at least 70% of the hosts out there - I'd call that common, and very relevant.

Not just arguing for the sake of argument.. its a very common configuration, and it makes for a serious security issue.

It was a serious problem on Sourceforge three years ago, for example: Anyone with shell hosting was able to see our db config, so we ended up having to request special security for our project (Blacknova Traders). (Things on SF have changed since then).

Its NOT uncommon.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

learn something new everyday...
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Ambush Commander wrote:If your config file is safe, databases can limit access to localhost.
May be I didn't explain well, I am wanting to know how to keep the config file safe (nothing to do with MySQL). Is it possible that I could have the password hashed somehow?
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

/offtopic

Yeah, I remember back when I had a project up on SF.net. Sooo unsecure. You could stroll into anyones folder and view their config and mess with the script. :roll:

/back_on_topic

If they had access to the config file, that means they most likely could see any other file and scan for security holes. Once one is found, they could do something like execute scripts remotely, or forcefully upload scripts and that could give them control of the db.

So because of that reason, among others, it's very important to code securely even if the project/site isn't open source.
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

I am worried though that if my web server is hacked, and my config.php can be viewed, then my sensitive database would be compromised. How can I protect my config.php ? :wink:
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

You can store your config file outside the web root, making it invisible to "crackers"
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

meaby consider reading the article i mentionned again.. ;)
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

I did read it, and it seems it is focused on remote exploits. I am concerned about a cracker having access to my server, through whatever means and viewing my config.php to find the db credentials and viewing my database. Has nothing to do with remote exploits.

The fact of the matter is, my db credentials are sitting there on my server in a plain text file. That is not good! Even Windows doesn't do that. :wink:
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

::Puts on Tin Foil Hat::
Post Reply