Results 1 to 8 of 8

Thread: database security question

  1. #1
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default database security question

    I've been thinking of security questions lately, but I am not too worried. I have been rather careful with my data thus far.

    Let's say that someone were to know the address for my database connect file. The file is simple with:
    PHP Code:
    <?php
    $connect 
    mysql_connect("host""username""password") or die(mysql_error());
    mysql_select_db("database1",$connect) or die(mysql_error());
    ?>
    Should this be better protected?
    Last edited by james438; 03-14-2010 at 05:28 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    you can store your DB connection file behind your web root directory. Your pages will still be able to include() it, but it will be inaccessible to the general public:
    PHP Code:
    include($_SERVER['DOCUMENT_ROOT'].'/../includes/database.php'); 

  3. #3
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    What is a good test I could do to see if it is working? I must be really lazy, because I created the database connect file in the root directory and then placed an include file in my old database connect file to the database connect file that is now located in the root directory. Not sure if that will work though.

    For example www.mysite.com/test.php contains:
    PHP Code:
    <?php
    include '../connect.php';
    ?>
    ############################

    If http://www.mysite.com/test.php contains:
    Code:
    <?php 
    $connect = mysql_connect("host", "username", "password") or die(mysql_error()); 
    mysql_select_db("database1",$connect) or die(mysql_error()); 
    ?>
    Like it did before, how could I do a test hack of my site? I have a few websites, so I can test this using another website.
    Last edited by james438; 03-14-2010 at 03:39 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  4. #4
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    I don't do much security-test-hacking, so I couldn't really help you there. The general consensus among php security articles is that, if your scripts and host is set up correctly, then behind the web root is all but completely inaccessible to the general public - and most malicious users.

    That said, let me clarify:

    Quote Originally Posted by james438
    I created the database connect file in the root directory...
    Not in your root, behind it. Your root directory might be something like /home/username/public_html/. "Behind" your root means someplace like /home/username/includes/. It's completely invisible to the public, meaning you can't type that address into your browser and find anything. You have to go through your ftp client or webhost control panel to find it.

    Your example uses a relative url: "../connect.php".

    You need an absolute (or root-relative) url for this, unless you never connect to your db from anywhere except your root directory, and/or depending on your server configuration. Like so: "/../connect.php", or in the case of my example in the above paragraph, "/../includes/connect.php".

  5. #5
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    What I meant is that there are two files. oldconnect.php and newconnect.php.

    oldconnect.php is located in username/html/include/connect.php and contains:

    PHP Code:
    <?php 
    include '../newconnect.php'
    ?>
    newconnect.php is located in username/newconnect.php and contains:

    PHP Code:
    <?php 
    $connect 
    mysql_connect("host""username""password") or die(mysql_error()); 
    mysql_select_db("database1",$connect) or die(mysql_error()); 
    ?>
    I think I just realized what you mean about relative vs absolute url. I added the following to oldconnect.php:
    PHP Code:
    <?php
    $thisdir 
    "$_SERVER[PHP_SELF]";
    $thisdir explode('/',$thisdir);
    $thisdir count($thisdir);
    if(
    $thisdir==3) include '../../newconnect.php';
    else include 
    '../newconnect.php';
    ?>
    It's crude, but suits my needs fine.

    The problem is that I am unsure if oldconnect.php, which is not located above the root, but refers to newconnect.php which does the actual database connecting and is located above the root, is safe.
    Last edited by james438; 03-14-2010 at 05:23 AM. Reason: fixed some naming errors
    To choose the lesser of two evils is still to choose evil. My personal site

  6. #6
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    uh... just to make sure I'm following you, newconnect.php (which contains the DB info) is behind the web root, correct? If so, then yes, it's good.

    Also, you don't need all that code to determine which directory you're in. Try simply:
    PHP Code:
    <?php
    include($_SERVER['DOCUMENT_ROOT']."/../connect.php");
    ?>

  7. The Following User Says Thank You to traq For This Useful Post:

    james438 (03-14-2010)

  8. #7
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    Sorry about that. I fixed the naming errors in my previous post.

    I like your code. I didn't know I could do that. My code has been updated and is now safer
    To choose the lesser of two evils is still to choose evil. My personal site

  9. #8
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •