will compiled php hide mysql connection info

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
benthomas
Forum Newbie
Posts: 3
Joined: Sat Jun 14, 2008 2:32 pm

will compiled php hide mysql connection info

Post by benthomas »

Hi,

I understand that php can be compiled. Will that compilation/obfuscation hide sensitive data such as mysql connection strings like username and password, or are there other ways to hide this?

Probably a stupid question but hey I'm just learning php - once a php file such as index.php has been compiled, does it behave just as if it had not been compiled i.e. can it be viewed in a browser.

thanks
m
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: will compiled php hide mysql connection info

Post by califdon »

benthomas wrote:Hi,

I understand that php can be compiled. Will that compilation/obfuscation hide sensitive data such as mysql connection strings like username and password, or are there other ways to hide this?

Probably a stupid question but hey I'm just learning php - once a php file such as index.php has been compiled, does it behave just as if it had not been compiled i.e. can it be viewed in a browser.

thanks
m
PHP is a server script language. It is not compiled. Its code remains on the server (unless it is revealed through a mistake in programming, such as omitting or malforming the <?php tags). There is no PHP code sent onto the Internet, other than by such an error. PHP is interpreted in the web server, such as Apache. After doing what the code specifies, what is sent to the browser is only HTML and Javascript. So unless you're worried about neglecting to put the proper PHP tags in your code, or if you're worried about people who have access to your web server, there's no security issue.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: will compiled php hide mysql connection info

Post by Eran »

He probably means something like Zend Guard.
Like califdon said, PHP scripts can only be read if the server is compromised or mis-configured
benthomas
Forum Newbie
Posts: 3
Joined: Sat Jun 14, 2008 2:32 pm

Re: will compiled php hide mysql connection info

Post by benthomas »

Thanks guys.

I have a grasp of how php works, but I should have given more detail.

What I am worried about is the server being compromised and the contents of the php files and the mysql connection string being in plain text form, available to anyone who can use vi.

I did look at the Zend option but I haven't tried it. It seems to be more obfuscation (like .net obfuscator) which just rearranges things and renames functions and maybe puts in dummy code to lead a hacker astray. Its definitely an option but what I really want (and this is probably not available) is to have the php compiled to binary like a C++ binary. I believe php is written in C++ so maybe there is an option for me to write an add-on (sorry I'm probably not using the right term) and have the php engine run that.

The other option is that i write some C++ app that handles the connection but then it has to communicate with the php pages and not sure if that would be secure - I would have to find a way to pass info from the C++ app to the php page. I don't imagine sending that info to stdout would be secure, but maybe there are other ways?

FYI; this web app will be running on a dedicated web server (not shared) and a dedicated mysql server.

thanks
mike.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: will compiled php hide mysql connection info

Post by Mordred »

benthomas wrote:... available to anyone who can use vi.
Then you're 99.99% safe - they may be able to see the pass, but they won't be able to exit vi to try it :)

For the other 0.005%:
1. Use lowest possible privilidges of the database user
2. Make the database accept connections only from the localhost (or the server machine's real ip, if they are separate)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: will compiled php hide mysql connection info

Post by superdezign »

There's not much you can do in the actual code that could stop a hacker from figuring out your password if they were to get into your file system, but if they ever get that far, you've got far worse problems to deal with than your database password.
WebbieDave
Forum Contributor
Posts: 213
Joined: Sun Jul 15, 2007 7:07 am

Re: will compiled php hide mysql connection info

Post by WebbieDave »

You can hide the login in a C library, but the curious hacker who's made it onto the box can analyze your PHP code and duplicate the lines that invoke the library and access your database that way.
superdezign wrote:There's not much you can do in the actual code that could stop a hacker from figuring out your password if they were to get into your file system, but if they ever get that far, you've got far worse problems to deal with than your database password.
Very true. However, most people run apache/php in environment that requires them to make their php files world readable. So, if anyone logs into the box, they may be able to view the php files. On a dedicated server, you can make the file containing the password readable by only the owner and the web server. That way you've greatly lessened the number of accounts that, when compromised, can read the sensitive file.

Other ways to secure php files from others on the box (but slows down the web server) are suPHP or php-suexec configuration.
benthomas
Forum Newbie
Posts: 3
Joined: Sat Jun 14, 2008 2:32 pm

Re: will compiled php hide mysql connection info

Post by benthomas »

WebbieDave wrote: Very true. However, most people run apache/php in environment that requires them to make their php files world readable. So, if anyone logs into the box, they may be able to view the php files. On a dedicated server, you can make the file containing the password readable by only the owner and the web server. That way you've greatly lessened the number of accounts that, when compromised, can read the sensitive file.

Other ways to secure php files from others on the box (but slows down the web server) are suPHP or php-suexec configuration.
Thanks WebbieDave. I'll look into suPHP and php-suexec.
mike
Post Reply