Securing mySQL dataqbase with php code

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
robert4442
Forum Newbie
Posts: 10
Joined: Sat May 25, 2002 3:04 pm
Location: USA

Securing mySQL dataqbase with php code

Post by robert4442 »

I wrote a script in php that accesses a mySQL database. The database has a table that contains email addresses. If I google one of the email addresses I come up with the following:
phpMyAdmin
3, jamesbakertpa@yahoo.com, Mr. Baker. Edit • Delete, 176, Bob.Shaye@newline.com, Robert, Shaye. Edit • Delete, 177, Michael.Lynne@newline.com, Michael ...
http://www.florida-family.org/phpmyadmi ... tf8_genera... - 67k - Cached - Similar pages


This search is going right into my databse and pulling info from it. I googled another email and it gave me all the emails in the database. My IPS is telling me that I must secure the data thru my web code. Can you help me. I don't know exactly what I need to do to secure this info?
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Securing mySQL dataqbase with php code

Post by califdon »

Are you sure that the search engine obtained the information from your site? As far as I know, if you use standard php programming and database connections, a search engine bot can't retrieve data from a database. For one thing, the location of the data is outside the web server root. There are many other possible sources for most of this kind of information.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Securing mySQL dataqbase with php code

Post by matthijs »

You have to close the access to phpmyadmin! It's totally open and reachable from the web. I can go there and manage your complete db, read, empty, drop. Close down access immediately. I hope the information in the db is not real personal info?
vspin
Forum Commoner
Posts: 33
Joined: Tue Apr 29, 2008 6:31 pm

Re: Securing mySQL dataqbase with php code

Post by vspin »

matthijs wrote:You have to close the access to phpmyadmin! It's totally open and reachable from the web. I can go there and manage your complete db, read, empty, drop. Close down access immediately. I hope the information in the db is not real personal info?
matthijs, hit this one on the button. Search engines go to your web site and extract as many URLs as the can find and follow each and every URL (excluding the ones that contain a specific link attribute), searching for more URLs on your web site. As already stated, your phpmyadmin does not require authentication at all, which would deny a Web Crawler.

This is how it should look for your phpmyadmin directory:

http://spirit.dos.uci.edu/phpmyadmin/
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Securing mySQL dataqbase with php code

Post by califdon »

Aha! Important advice! So if you run your own server and install phpmyadmin yourself, you may have a vulnerability? I used to operate my own servers and may have had such an issue. Now I use a hosting service that protects it within their own user control panel. I'm still confused, though, about how a search engine bot gets beyond the login that phpmyadmin employs. I followed the link that vapin supplied and could only view the login screen. I realize that a hacker could very likely gain access, but how could a search engine crawler see anything there from the database??
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Securing mySQL dataqbase with php code

Post by matthijs »

Aha! Important advice! So if you run your own server and install phpmyadmin yourself, you may have a vulnerability? I used to operate my own servers and may have had such an issue. Now I use a hosting service that protects it within their own user control panel. I'm still confused, though, about how a search engine bot gets beyond the login that phpmyadmin employs. I followed the link that vapin supplied and could only view the login screen. I realize that a hacker could very likely gain access, but how could a search engine crawler see anything there from the database??
Yes. You definitely need to protect that.

When I looked at the link I had direct access to phpmyadmin. No password required. So any bot can crawl that too. I think robert wisely removed it now.
vspin
Forum Commoner
Posts: 33
Joined: Tue Apr 29, 2008 6:31 pm

Re: Securing mySQL dataqbase with php code

Post by vspin »

califdon wrote:Aha! Important advice! So if you run your own server and install phpmyadmin yourself, you may have a vulnerability? I used to operate my own servers and may have had such an issue. Now I use a hosting service that protects it within their own user control panel. I'm still confused, though, about how a search engine bot gets beyond the login that phpmyadmin employs. I followed the link that vapin supplied and could only view the login screen. I realize that a hacker could very likely gain access, but how could a search engine crawler see anything there from the database??
califdon,

<<So if you run your own server and install phpmyadmin yourself, you may have a vulnerability?>>

If it's not installed correctly, definitely. Even if it is installed correctly and is accessible though the Internet, it can be easily hacked if not run on a secure server. What I mean is, your login credentials (username and password) can be Sniffed by a hacker in plain text after you submit the login. A secure server will at least encrypt the data across the network.

http://netsecurity.about.com/cs/hackert ... 121403.htm

<<I'm still confused, though, about how a search engine bot gets beyond the login that phpmyadmin employs.>>

As matthijs has stated, robert4442's login page was not existent. His page took you directly to the admin controls.

<<I followed the link that vapin supplied and could only view the login screen. I realize that a hacker could very likely gain access, but how could a search engine crawler see anything there from the database??>>

The crawler can not see beyond the login page of the link I provided. The link I provided was done right. It was robert4442's page that was not.
Post Reply