I want some input on what you guys think is the most secure way to connect to a mysql database using php. Currently the way Im doing it is a utility php file that I include in the top of all my other php files. The utility php file is this
<?php
if(!defined('IN_PHP')){
die("hackerssss");
}
$mysql_host = "localhost";
$mysql_user = "root";
$mysql_pass = "root";
$mysql_db = cokertrading;
?>
Any suggestions?
Suggestion: You should probably never be running as root; create another account and give it the 'least' privileges required for your site.
Define a pair of proper login credentials instead of "root/root" (change the user name to something else, and choose a complicated password);
if possible restrict access to the database to localhost on a firewall level or, as @Scott says in the comments, set mySQL to listen to connections from 127.0.0.1 only. If both is not possible, restrict access on mySQL level. ("username"@"localhost")
because php scripts are server side - ie they are parsed on the server and only the output is sent to the browser - the way you are doing this is perfectly secure.
The only way that people would be able to get your username and password would be to acctually hack into your server and view the source code - in which case there's no way (in php) to protect against this.
This whole question depends entirely on whether the database is on the same server as your web-server (apache etc). Until we get this we cannot give you an answer.
First of all, as Alex said, you should be using a special account for that application with limited privileges.
After that, take a look at this How To secure passwords in PHP where you will find answers like:
Several period misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.
The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.
Store them in a file outside web root.
If you're hosting on someone else's server and don't have access outside your webroot, you can always put your password and/or database connection in a file and then lock the file using a .htaccess:
<files mypasswdfile> order allow,deny
deny from all </files>
For extremely secure systems we encrypt the database password in a configuration file (which itself is secured by the system administrator). On application/server startup the application then prompts the system administrator for the decryption key. The database password is then read from the config file, decrypted, and stored in memory for future use. Still not 100% secure since it is stored in memory decrypted, but you have to call it 'secure enough' at some point!
Your choices are kind of limited as as you say you need the password to access the database. One general approach is to store the username and password in a seperate configuration file rather than the main script. Then be sure to store that outside the main web tree. That was if there is a web configuration problem that leaves your php files being simply displayed as text rather than being executed you haven't exposed the password.
Other than that you are on the right lines with minimal access for the account being used. Add to that
* Don't use the combination of username/password for anything else * Configure the database server to only accept connections from the webhost for that user (localhost is even better if the DB is on the same machine) That way even if the credentials are exposed they are no use to anyone unless they have other access to the machine. * Obfuscate the password (even ROT13 will do) it won't put up much defense if some does get access to the file, but at least it will prevent casual viewing of it.
Peter
These people are all crazy.
This is what all the pros do. My qualification: I was the lead of the secure sign on site for a major branch of the U.S. military:
In your apache vhost for each site you do something like this
<VirtualHost *:80>
ServerName www.phpexperts.pro
SetEnv SQL_HOST localhost
SetEnv SQL_USER phptutor
SetEnv SQL_PASS someRandom-234qasdfasPass
SetEnv SQL_DB rosettablog
</Virtualhost>
Then you run these commands on your vhost config file:
sudo chown root:root 29_phpexperts.pro.conf
sudo chmod 0600 29_phpexperts.pro.conf
What that does is set the user to root and the group to root and then sets file permissions to allow root to read and write it and apache only to read it. As long as apache is started by the root user, only root will then need to have read access to it (thanks @grossvogel).
In your code you do this:
$mysql_user = $_SERVER['SQL_USER'];
Voila! No plaintext password viewable to everyone on your system. Only viewable to apache and root. For kicks, you should encrypt it w/ your secret hash but that might be overkill for most instances.
The odds that someone will be in your root group are very small, and if they do, nothing exception encryption will slow them down much.
What's worse? A file readable by everyone and all they have to do is grep -i PASS * -R or this system, where they have to hack either your root account or be able to write to your PHP server? In any case, they would have long-before gotten your password.
Also, the other way to do this is to set the creds (encrypted, hopefully) into APC and then unset the Apache var.
I can believe noone has mentioned MYSQLI and prepared statements yet, you may lock your password and database connection away, but thats ultimately futile if I can simply type ';DROP TABLE users;-- in the login form.
Check http://en.wikipedia.org/wiki/SQL_injection for an idea about what I'm talking about.