Hello,
My website is built using php files. I use trade secret algorithms in these files and my root password for my database is stored within these php files also. My database is used to store private medical data of many customers.
Is this considered a secure set up; can anyone download the php source from my webserver, and therefore have access to my root mysql password?
I run apache 2.0 and php 5, on ubuntu 8.04 and mysql 5.
thank you.
Your server is as secure as the weakest point in your server.
If someone compromises a weak password for an account that happens to be able to read that file - then yes, now they have your root password. If you happen to make a mistake in your code (or use someone else's code/program with such a mistake / "feature"), then that may also compromise it - and yes, both situations HAVE and DO happen.
So as a basic precaution, create a specific account for that application, that is limited to what that application has access to. If it does get compromised, it is not as useful.
Certainly the root password is the worst thing you can choose. In a security audit, guaranteed this is an instant fail.
If you are storing medical data in the United States you are subject to specific, stringent security requirements. Other countries may have similar provisions.
Without being an expert, I seriously doubt that you would pass a security audit with the setup you describe. To begin with, having a root password anywhere in plain text is bad practice. Storing any sensitive data (e.g. medical records) in unencrypted form invites any hacker that can penetrate your website to help themselves to the data. I suspect that HIPAA has specific requirements for securing all medical information and patient identifying information.
This is a serious matter that can expose your company to serious liability.
Yes, it is possible for your php source to be "leaked" (delivered as the text that it is, instead of executing) if your web server somehow gets misconfigured.
A code leak due to some web server mess up causing php pages to be delivered instead of executed happened to facebook in 2007.
In regard of
Yes, it is possible for your php source to be "leaked" (delivered as the text that it is, instead of executing) if your web server somehow gets misconfigured.
A good precaution against that is to put all PHP files (except the bootstrap/index file) outside the public_html/htdocs/www or what ever directory.
You can use something like ZendGuard.
You can simply decide to compile sensitive data as PHP extension (basically, only constants).
Just keep in mind, there is no such thing as 100% protection.
If you are protected trademarked info then your best bet is to encrypt it, along with any passwords you are storing.
This will ensure that even if someone breaks into your system they can't get to it.
You can do one of two things, one is to have a special password-protected page where you can paste in the private key for the public/private keypair that has the encrypted symmetric key.
This will ensure that unless you have the correct private key you won't be able to get to the symmetric key.
The private key can be stored on a usb thumbdrive, so you can remove it after pasting it into the special webpage.
The symmetric key would be read immediately after this form is done, and store it in a global variable so any page in the application can use it.
The private key would be purged immediately after being used to limit the chance it was written out to the hard drive.
This system isn't completely perfect, but should be able to pass a security audit and protect your info from any successful attack by a hacker.
Create mysql user for each application and give that user the least amount of privileges it needs to work correctly. Most apps on only need select, update and delete. http://en.wikipedia.org/wiki/Principle_of_least_privilege
Your mysql root user has a special privileges as a super user. Say you hit your max connection limit. MySQL always reserves the last connection for the super user so you can get in there and administer the box, kill connections, etc.
If you use root in your web app, then you could get locked out of your own database.