Page 1 of 1
will compiled php hide mysql connection info
Posted: Sat Jun 14, 2008 3:05 pm
by benthomas
Hi,
I understand that php can be compiled. Will that compilation/obfuscation hide sensitive data such as mysql connection strings like username and password, or are there other ways to hide this?
Probably a stupid question but hey I'm just learning php - once a php file such as index.php has been compiled, does it behave just as if it had not been compiled i.e. can it be viewed in a browser.
thanks
m
Re: will compiled php hide mysql connection info
Posted: Sat Jun 14, 2008 3:44 pm
by califdon
benthomas wrote:Hi,
I understand that php can be compiled. Will that compilation/obfuscation hide sensitive data such as mysql connection strings like username and password, or are there other ways to hide this?
Probably a stupid question but hey I'm just learning php - once a php file such as index.php has been compiled, does it behave just as if it had not been compiled i.e. can it be viewed in a browser.
thanks
m
PHP is a server script language. It is not compiled. Its code remains on the server (unless it is revealed through a mistake in programming, such as omitting or malforming the
<?php tags). There is no PHP code sent onto the Internet, other than by such an error. PHP is interpreted in the web server, such as Apache. After doing what the code specifies, what is sent to the browser is only HTML and Javascript. So unless you're worried about neglecting to put the proper PHP tags in your code, or if you're worried about people who have access to your web server, there's no security issue.
Re: will compiled php hide mysql connection info
Posted: Sat Jun 14, 2008 3:56 pm
by Eran
He probably means something like Zend Guard.
Like califdon said, PHP scripts can only be read if the server is compromised or mis-configured
Re: will compiled php hide mysql connection info
Posted: Sat Jun 14, 2008 7:32 pm
by benthomas
Thanks guys.
I have a grasp of how php works, but I should have given more detail.
What I am worried about is the server being compromised and the contents of the php files and the mysql connection string being in plain text form, available to anyone who can use vi.
I did look at the Zend option but I haven't tried it. It seems to be more obfuscation (like .net obfuscator) which just rearranges things and renames functions and maybe puts in dummy code to lead a hacker astray. Its definitely an option but what I really want (and this is probably not available) is to have the php compiled to binary like a C++ binary. I believe php is written in C++ so maybe there is an option for me to write an add-on (sorry I'm probably not using the right term) and have the php engine run that.
The other option is that i write some C++ app that handles the connection but then it has to communicate with the php pages and not sure if that would be secure - I would have to find a way to pass info from the C++ app to the php page. I don't imagine sending that info to stdout would be secure, but maybe there are other ways?
FYI; this web app will be running on a dedicated web server (not shared) and a dedicated mysql server.
thanks
mike.
Re: will compiled php hide mysql connection info
Posted: Sun Jun 15, 2008 12:57 am
by Mordred
benthomas wrote:... available to anyone who can use vi.
Then you're 99.99% safe - they may be able to see the pass, but they won't be able to exit vi to try it
For the other 0.005%:
1. Use lowest possible privilidges of the database user
2. Make the database accept connections only from the localhost (or the server machine's real ip, if they are separate)
Re: will compiled php hide mysql connection info
Posted: Sun Jun 15, 2008 5:23 am
by superdezign
There's not much you can do in the actual code that could stop a hacker from figuring out your password if they were to get into your file system, but if they ever get that far, you've got far worse problems to deal with than your database password.
Re: will compiled php hide mysql connection info
Posted: Sun Jun 15, 2008 1:14 pm
by WebbieDave
You can hide the login in a C library, but the curious hacker who's made it onto the box can analyze your PHP code and duplicate the lines that invoke the library and access your database that way.
superdezign wrote:There's not much you can do in the actual code that could stop a hacker from figuring out your password if they were to get into your file system, but if they ever get that far, you've got far worse problems to deal with than your database password.
Very true. However, most people run apache/php in environment that requires them to make their php files world readable. So, if anyone logs into the box, they may be able to view the php files. On a dedicated server, you can make the file containing the password readable by only the owner and the web server. That way you've greatly lessened the number of accounts that, when compromised, can read the sensitive file.
Other ways to secure php files from others on the box (but slows down the web server) are suPHP or php-suexec configuration.
Re: will compiled php hide mysql connection info
Posted: Sun Jun 15, 2008 2:12 pm
by benthomas
WebbieDave wrote:
Very true. However, most people run apache/php in environment that requires them to make their php files world readable. So, if anyone logs into the box, they may be able to view the php files. On a dedicated server, you can make the file containing the password readable by only the owner and the web server. That way you've greatly lessened the number of accounts that, when compromised, can read the sensitive file.
Other ways to secure php files from others on the box (but slows down the web server) are suPHP or php-suexec configuration.
Thanks WebbieDave. I'll look into suPHP and php-suexec.
mike