views:

40

answers:

2

If a web server and a database server are on different hosts, is it possible for a hacker to do packet sniffing or use some other method to get the database username/password when you use mysql_connect in the PHP code?

+4  A: 

Yes mysql_connect() can be sniffed. The password is "scrambled", but this will not stop an attacker. All quires are thrown over the wire in plain text and the authenticated session can be hijacked if you are sniffing TCP sequence id's.

You must use full transport layer encryption which is possible using the MYSQL_CLIENT_SSL flag if you are worried about this attack. If you are putting a mysql connection over the internet or otherwise untrusted network then this is a necessity. This is not necessary if you are connecting via localhost.

Rook
I see, I will look into that flag setting
jimiyash
In order to read the queries in plain text, would the attacker need to sniff packets on the network between the two servers? Or can they just sniff packets on the network of a client using the site to get the queries?
jimiyash
@Jason Miy if you are sniffing on the client then you are sniffing the network between two servers. You can be anywhere on the network between A<->B.
Rook
A: 

I think that a hacker can sniff the packets if he has some kind of access to the web server or db server, or at least to the LAN where one of these servers are and in this case you have bigger problems. But if the web server is on webhost.com, the db is on dbhost.com and the hacker tries to sniff from outside then he cannot do much.

Chris