Hiding your password in PHP code for logging into MySQL

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Joey_X
Forum Newbie
Posts: 4
Joined: Tue Aug 19, 2008 4:41 am

Hiding your password in PHP code for logging into MySQL

Post by Joey_X »

I'm looking for ideas to hide my MySQL root password in PHP. I don't like the fact that I have to type my root's password in a cleartext document. For example:

Code: Select all

$connection = mysql_connect("localhost", "root", "THIS_IS_MY_PASSWORD");
Here is my current idea:
Create a php file in C:\php\ called pword_encrypted.php, which contains my password, but encrypted:

Code: Select all

<?php
  define("PRIVATE_PASSWORD", "asdfblah123");
?>
Then I created a file in C:\php\ called decryptor.php which contains a decrypt() function (to convert PRIVATE_PASSWORD to my regular password).

My result:

Code: Select all

<?php
  include 'C:/php/pword_encrypted.php';
  include 'C:/php/decryptor.php';
  $connection = mysql_connect("localhost", "root", decrypt(PRIVATE_PASSWORD));
?>
Works like a charm, however, it seems like a dirty solution, to me. I guess it's the best solution that I have for now but I was hoping to get other peoples' input on how they work around this situation.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Hiding your password in PHP code for logging into MySQL

Post by Eran »

create a separate configuration file which should be stored in a directory with the directive 'deny from all'. Put all your important configuration data there and load it in the script when you need it. PHP has nice inbuilt functions for it like parse_ini_file(), or you can use a full fledged component like Zend_Config and its subclasses.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hiding your password in PHP code for logging into MySQL

Post by Mordred »

Umm, and this helps ... how?
Any vulnerability that will be able to read a php file will also be able to read the ini file. Even worse, a LFI on a .php-based configuration will just execute the configuration php code, while a LFI on a .ini file will display it on the browser.

Chris Shiflett has an old article that suggests using the environment: http://shiflett.org/articles/shared-hosting, try this if you're so worried. On a non-shared environment, this looks like a non-issue if you have the DB server configured to accept connections only from localhost.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Hiding your password in PHP code for logging into MySQL

Post by Apollo »

If you're really paranoid, you could do something like this:

1. /inaccessible_folder/password.php is an obfuscated script that 'downloads' the password (encrypted) from another server.

2. The script on the other server only returns the correct (encrypted) password if it's called from the correct IP, has the correct agent string (to disturb people trying to call that script themselves), etc.

Instead of just getting access to the database, you can also use this to obtain a key for encrypting sensitive content in your database (using AES_ENCRYPT in SQL queries). That way, even someone getting access to your database (or to your entire server, for that matter) can not easily read the actual data without reverse engineering the above script.
Joey_X
Forum Newbie
Posts: 4
Joined: Tue Aug 19, 2008 4:41 am

Re: Hiding your password in PHP code for logging into MySQL

Post by Joey_X »

Mordred wrote:On a non-shared environment, this looks like a non-issue if you have the DB server configured to accept connections only from localhost.
It is true that my DB config will accept connections only from localhost. It is also true that the computer in question is primarily accessed by myself. My main concern is with people reading over my shoulder as I am coding.


Apollo wrote:If you're really paranoid, you could do something like this:

1. /inaccessible_folder/password.php is an obfuscated script that 'downloads' the password (encrypted) from another server.

2. The script on the other server only returns the correct (encrypted) password if it's called from the correct IP, has the correct agent string (to disturb people trying to call that script themselves), etc.
Interesting idea. I'll see about taking time to write a blatantly obfuscated hack for future use.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hiding your password in PHP code for logging into MySQL

Post by Mordred »

Apollo wrote:If you're really paranoid, you could do something like this:

1. /inaccessible_folder/password.php is an obfuscated script that 'downloads' the password (encrypted) from another server.

2. The script on the other server only returns the correct (encrypted) password if it's called from the correct IP, has the correct agent string (to disturb people trying to call that script themselves), etc.

Instead of just getting access to the database, you can also use this to obtain a key for encrypting sensitive content in your database (using AES_ENCRYPT in SQL queries). That way, even someone getting access to your database (or to your entire server, for that matter) can not easily read the actual data without reverse engineering the above script.
So, over a non-issue, you impose a double tax on your server load. I like being paranoid, but one should also try to keep it functional.
Joey_X wrote: My main concern is with people reading over my shoulder as I am coding.
For all it matters you can publish the password on the site itself - if the database accepts only localhost connections and it's entirely your server, any attack that succeeds into connecting to the database (i.e. being able to execute arbitrary code from your host) would have succeeded no matter what precautions you would take (since the attacker would then just immitate your legit scripts).
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Hiding your password in PHP code for logging into MySQL

Post by Apollo »

Mordred wrote:So, over a non-issue, you impose a double tax on your server load. I like being paranoid, but one should also try to keep it functional.
I wouldn't call this a complete non-issue. As long as there isn't one measure which completely blocks all vulnerabilities 100%, anything that reduces the risk (at reasonable cost) is a good idea.

I do agree the reasonability of the cost is doubtful here ;)

In terms of paranoia, here's something else to consider: suppose you run a webshop and have sensitive information (customer details, credit card numbers, etc) in your database. How realistic is the risk of some fraudulent employee at your provider ripping these details and selling them at the black market?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Hiding your password in PHP code for logging into MySQL

Post by Eran »

Umm, and this helps ... how?
Any vulnerability that will be able to read a php file will also be able to read the ini file. Even worse, a LFI on a .php-based configuration will just execute the configuration php code, while a LFI on a .ini file will display it on the browser.
Parsing an INI file does not include it, don't see how you came to that conclusion. Not sure what you mean by LFI, I'm assuming some sort of attack I am not familiar with - the initials just stand for Local File Include.
In any case it's safer to have the configuration in a non PHP script, since those can sometimes be accessed directly (depending on the development style), while a separate INI file can be placed in a non-accessible place.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hiding your password in PHP code for logging into MySQL

Post by Mordred »

Given a non-shared environment, and a database that accepts only localhost connections, describe one attack that will benefit from having the database credentials in a .php file.
I predict that the same attack will not be mitigated if the db credentials are offsite, as you described. Hence I call it a non-issue, security measures can only help the above security layers, not the underlying ones.
In terms of paranoia, here's something else to consider: (... snip ... )
Err, how is that on topic? It is a valid problem with several possible solutions, none of which is relevant in this discussion.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hiding your password in PHP code for logging into MySQL

Post by Mordred »

pytrin wrote:
Umm, and this helps ... how?
Any vulnerability that will be able to read a php file will also be able to read the ini file. Even worse, a LFI on a .php-based configuration will just execute the configuration php code, while a LFI on a .ini file will display it on the browser.
Parsing an INI file does not include it, don't see how you came to that conclusion. Not sure what you mean by LFI, I'm assuming some sort of attack I am not familiar with - the initials just stand for Local File Include.
In any case it's safer to have the configuration in a non PHP script, since those can sometimes be accessed directly (depending on the development style), while a separate INI file can be placed in a non-accessible place.
LFI = local file include, yes.
I didn't mean that the regular usage of the ini file would include it while parsing (I don't see how you came to the conclusion that I came to that conclusion either :) )
What I meant is that there are classes of vulnerabilities which will be mitigated if the config is in .php and not in .ini (and actually there is not a single benefit in using an .ini I can think of - maybe there are some I'm not seeing?)

Example one is being able to access the file directly, which you already mentioned. With config.inc.php direct access does not do any harm, so no additional measures are needed (which is better - there are fewer points of failure)
A second one is LFI, still a common vulnerability in the wild, whereby an include statement is manipulated to include another (but local) file. Again, including the config.inc.php will do no harm (it only defines variables, doesn't do anything), while including config.ini will display it to the attacker.
I hope I have explained it more clearly now.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Hiding your password in PHP code for logging into MySQL

Post by Eran »

With config.inc.php direct access does not do any harm
Actually this is incorrect - in the case PHP is currently not working on the server (it happened to me several times while my server guys were reinstalling some software, also to facebook one famous time), PHP files could be downloaded as plain text if they are accessible. This is of course a major vulnerability if they contain sensitive information.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hiding your password in PHP code for logging into MySQL

Post by Mordred »

It sounds farfetched, but possible, so I concur that it's not free from "any" harm, as I originally said.
It is easily mitigated if you keep it outside of the web root (as one should wilth all include files), or with your original .htaccess proposal.

Also, it still does not refute my second argument about LFI, nor the third argument that with localhost-only database noone can use your login information even if he knows it.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Hiding your password in PHP code for logging into MySQL

Post by Apollo »

Mordred wrote:Given a non-shared environment, and a database that accepts only localhost connections, describe one attack that will benefit from having the database credentials in a .php file.
I predict that the same attack will not be mitigated if the db credentials are offsite, as you described. Hence I call it a non-issue, security measures can only help the above security layers, not the underlying ones.
I wasn't specifically talking about non-shared environments only (and neither was the TS afaik ;)).
Err, how is that on topic? It is a valid problem with several possible solutions, none of which is relevant in this discussion.
Since the TS is obviously worried about strangers getting access to his DB contents, it seems pretty on topic to me to realize that even without putting the password anywhere on the server, there still may be people accessing it.

What solutions would you suggest? (or is there another topic about this if you find it more appropriate? I didn't find anything so far)
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: Hiding your password in PHP code for logging into MySQL

Post by ghurtado »

I concur with Mordred that this is a non-issue and comes from a misunderstanding of systems security. I have seen this focus on automated password storage come up a few times before under different names. One situation where it comes up often is the passphrase needed for Apache to start SSL services with a certain certificate. I have seen many clever hacks aimed at hiding the location of this passphrase file, and they all seem like a waste of time to me.

If an attacker has free-range access to your server (which is a prerequisite for the concern in the first place), then they have just acquired the same access level as your PHP script, possibly even more. If your PHP script needs to be able to access the database from that same level of security, how can you block one without blocking the other? The answer is you can't. You can move the password around, encrypt it, decrypt it, send it to another server, split it into subatomic particles and send it through a quantum randomizer. When you are done with all these methods, the attacker will be waiting right next to your call to mysql_connect(), which invariably requires an unencrypted password, and grab it from there.

If what you are concerned with is over-the-shoulder snooping, all you need to do is save the password in an include file which you don't need to edit often and keep that file closed.
User avatar
funky_fresh33
Forum Newbie
Posts: 2
Joined: Thu Aug 21, 2008 8:14 pm
Location: Egypt
Contact:

Re: Hiding your password in PHP code for logging into MySQL

Post by funky_fresh33 »

this is my idea, if you don't need to write your MySQL password in plain text... so i guess i've an idea it may be not bad one

first we'll use base64_encode() function to encode the password.... e.g.

Code: Select all

 
echo base64_encode("123456");
 
this code outputs : MTIzNDU2

then assign the value to anything like variable,constant or whatever....

second we are about to decode the text again to revert it as a plain text

Code: Select all

 
define("PASS",base64_decode("MTIzNDU2"));
echo PASS;
 
i know it seems an idea from the stone age.... :banghead:
Post Reply