Hi,
I understand that php can be compiled. Will that compilation/obfuscation hide sensitive data such as mysql connection strings like username and password, or are there other ways to hide this?
Probably a stupid question but hey I'm just learning php - once a php file such as index.php has been compiled, does it behave just as if it had not been compiled i.e. can it be viewed in a browser.
thanks
m
will compiled php hide mysql connection info
Moderator: General Moderators
Re: will compiled php hide mysql connection info
PHP is a server script language. It is not compiled. Its code remains on the server (unless it is revealed through a mistake in programming, such as omitting or malforming the <?php tags). There is no PHP code sent onto the Internet, other than by such an error. PHP is interpreted in the web server, such as Apache. After doing what the code specifies, what is sent to the browser is only HTML and Javascript. So unless you're worried about neglecting to put the proper PHP tags in your code, or if you're worried about people who have access to your web server, there's no security issue.benthomas wrote:Hi,
I understand that php can be compiled. Will that compilation/obfuscation hide sensitive data such as mysql connection strings like username and password, or are there other ways to hide this?
Probably a stupid question but hey I'm just learning php - once a php file such as index.php has been compiled, does it behave just as if it had not been compiled i.e. can it be viewed in a browser.
thanks
m
Re: will compiled php hide mysql connection info
He probably means something like Zend Guard.
Like califdon said, PHP scripts can only be read if the server is compromised or mis-configured
Like califdon said, PHP scripts can only be read if the server is compromised or mis-configured
Re: will compiled php hide mysql connection info
Thanks guys.
I have a grasp of how php works, but I should have given more detail.
What I am worried about is the server being compromised and the contents of the php files and the mysql connection string being in plain text form, available to anyone who can use vi.
I did look at the Zend option but I haven't tried it. It seems to be more obfuscation (like .net obfuscator) which just rearranges things and renames functions and maybe puts in dummy code to lead a hacker astray. Its definitely an option but what I really want (and this is probably not available) is to have the php compiled to binary like a C++ binary. I believe php is written in C++ so maybe there is an option for me to write an add-on (sorry I'm probably not using the right term) and have the php engine run that.
The other option is that i write some C++ app that handles the connection but then it has to communicate with the php pages and not sure if that would be secure - I would have to find a way to pass info from the C++ app to the php page. I don't imagine sending that info to stdout would be secure, but maybe there are other ways?
FYI; this web app will be running on a dedicated web server (not shared) and a dedicated mysql server.
thanks
mike.
I have a grasp of how php works, but I should have given more detail.
What I am worried about is the server being compromised and the contents of the php files and the mysql connection string being in plain text form, available to anyone who can use vi.
I did look at the Zend option but I haven't tried it. It seems to be more obfuscation (like .net obfuscator) which just rearranges things and renames functions and maybe puts in dummy code to lead a hacker astray. Its definitely an option but what I really want (and this is probably not available) is to have the php compiled to binary like a C++ binary. I believe php is written in C++ so maybe there is an option for me to write an add-on (sorry I'm probably not using the right term) and have the php engine run that.
The other option is that i write some C++ app that handles the connection but then it has to communicate with the php pages and not sure if that would be secure - I would have to find a way to pass info from the C++ app to the php page. I don't imagine sending that info to stdout would be secure, but maybe there are other ways?
FYI; this web app will be running on a dedicated web server (not shared) and a dedicated mysql server.
thanks
mike.
Re: will compiled php hide mysql connection info
Then you're 99.99% safe - they may be able to see the pass, but they won't be able to exit vi to try itbenthomas wrote:... available to anyone who can use vi.
For the other 0.005%:
1. Use lowest possible privilidges of the database user
2. Make the database accept connections only from the localhost (or the server machine's real ip, if they are separate)
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: will compiled php hide mysql connection info
There's not much you can do in the actual code that could stop a hacker from figuring out your password if they were to get into your file system, but if they ever get that far, you've got far worse problems to deal with than your database password.
-
WebbieDave
- Forum Contributor
- Posts: 213
- Joined: Sun Jul 15, 2007 7:07 am
Re: will compiled php hide mysql connection info
You can hide the login in a C library, but the curious hacker who's made it onto the box can analyze your PHP code and duplicate the lines that invoke the library and access your database that way.
Other ways to secure php files from others on the box (but slows down the web server) are suPHP or php-suexec configuration.
Very true. However, most people run apache/php in environment that requires them to make their php files world readable. So, if anyone logs into the box, they may be able to view the php files. On a dedicated server, you can make the file containing the password readable by only the owner and the web server. That way you've greatly lessened the number of accounts that, when compromised, can read the sensitive file.superdezign wrote:There's not much you can do in the actual code that could stop a hacker from figuring out your password if they were to get into your file system, but if they ever get that far, you've got far worse problems to deal with than your database password.
Other ways to secure php files from others on the box (but slows down the web server) are suPHP or php-suexec configuration.
Re: will compiled php hide mysql connection info
Thanks WebbieDave. I'll look into suPHP and php-suexec.WebbieDave wrote: Very true. However, most people run apache/php in environment that requires them to make their php files world readable. So, if anyone logs into the box, they may be able to view the php files. On a dedicated server, you can make the file containing the password readable by only the owner and the web server. That way you've greatly lessened the number of accounts that, when compromised, can read the sensitive file.
Other ways to secure php files from others on the box (but slows down the web server) are suPHP or php-suexec configuration.
mike