DB Access Security with PHP [closed]

Question

DB Access Security with PHP [closed]

Navigation

#1 by (1 votes)

0

I'm creating a website, and I'm not sure how to ensure the security of my database. I currently have a "Security" folder with the connection.php file that connects to the DB. I give include to this file on every page that I need to connect. The question is: What is the right way to access DB? Is this file secure?

The connection file:

<?php $databaseHost = 'meu host';$databaseName = 'meu bd';$databaseUsername = 'meu user';$databasePassword = 'meu password';$mysqli = mysqli_connect($databaseHost, $databaseUsername, $databasePassword, $databaseName);?>

In the pages I need, only include ("seguranca/connection.php");

php mysql

asked by anonymous 28.06.2017 / 16:31

1 answer

"include" in javascript or something similar to reduce code size MySQL - Update column with Brazilian date value

score 1 · Answer 1

Just reply:

If your code had to be exposed to the public at any time, would it expose the credentials?

If you do:

$login = 'usuario'
$senha = 'minhasenha';

hard-coded cryptographic and hard-coded / em>. Logic that storing in the code the public key (able only to encrypt and verify signatures) is generally not a bad idea, but this is not the case .

One of the very simple alternatives is to use getenv() which gets a user environment variable , an example:

$pdo = new \PDO(
    'mysql;host=100.100.100.100;dbname=banco_de_dados',
    getenv('MYSQL_USUARIO'),
    getenv('MYSQL_SENHA')
);


$mysqli = new \mysqli('100.100.100.100', 
     getenv('MYSQL_USUARIO'),
     getenv('MYSQL_SENHA'),
     'banco_de_dados'
);

Obviously you need to set the environment variable on the production server before, and only it should have this information.

This is also done for API keys, for example:

$proof = hash_hmac('sha256', $fbToken, getenv('FACEBOOK_SECRET'));

$curl = curl_init('https://graph.facebook.com/me/accounts?appsecret_proof=' . $proof . '&access_token=' . $fbToken');
//...

Note: sha256 is set right in the code because it is the only method supported by Facebook .

Using getenv() even if your code is exposed both the database passwords and Facebook's secret key are safe, in this example. It is also ideal to use physically distinct servers, one for PHP and another server for MySQL.

If you set $senha_do_banco = '123456789' your exposed code will cause much more problems, giving the information of the database and key of the Facebook application.

In addition your production server will have (and should have!) different development passwords. Once the environment variable is set each server will have different passwords without ever changing the code.

In addition, do this:

index.php

include('conexao.php');
echo 'Você está no index';

It is useless, if the interpreter fails (or is forced to fail) the "user" can go in site.com/conexao.php and will get the information, although this may be considered "rare" .

Placing the file in an unreachable location would be less useable:

index.php

include('../conexao.php');
echo 'Você está no index';

I recommend you read:

The Twelve-Factor App