tags:

views:

44

answers:

5

I would like to ensure that any scripts that are trying to "include" my database connection file are located under my own domain. I don't want a hacker to include the database connection file to their malicious script and gain access to my database that way. My connection file's name is pretty easy to guess, it's called "connect.php". So without renaming it and taking the security through obscurity route, how can I protect it by making sure all connection requests are made by scripts residing under my own domain name? How can this be checked using PHP?

A: 

No other user than yourself should have access to your PHP files in any way, as Felix mentioned. However, this is how you'd check in PHP:

if($_SERVER['SERVER_NAME'] != "example.com")
    die("I've been kidnapped!");
Arda Xi
I will try this. But what I meant by the original question was, I didn't want some one to include my file like: include('http://something.com/connect.php'); using an absolute url path to my site's connection file. Of course no one will have direct access to my php files but they can still link to it or include it right?
Jack
But if someone can include the file, then they can read the file to get the credentials. :(
symcbean
People could only include it from the same server your website runs on, and even then they're not supposed to be able to.It's impossible to include an external (hosted on a different server) PHP file as PHP.
Arda Xi
A: 

What do you mean by including your connection file? If a script does include "connect.php" then they can see the source code of the file, so whatever security measures you add to that file will be pointless, as it will be like:

if($notFromHostname)
{
echo "DONT LOOK AT THIS";
die();
}
define('DB_PASS',"myPassword");
...

And the "hacker" will clearly be able to see your password. You are probably better off using something like iptables to deny hosts that are not from a specific domain.

webdestroya
+1  A: 

Generally speaking if someone tries to include a file on your domain, they will see the results of the execution of that file. What do you see when you load the connect.php script in your web browser? Thats what they'll see as well if they try to include a remote file.

That said, its generally a good idea to keep important files inaccessible from the outside of your public web space. So, if your website is /var/www/yoursite/ then keep your connect.php in /some/dev/dir/yoursite and include the files from your pages using require_once '/some/dev/dir/yoursite/connect.php';

thetaiko
+1  A: 

thetaiko's answer addresses the fundamental issues here - but if anyone else has access to run code on the server (i.e. its a shared server) then access to the file will depend on how the server is configured.

There are lots of ways that access might be constrained - e.g. suphp, base_opendir, multiple chrooted servers. The only way to find out what's going on for sure is to casr yourself in the role of the hacker and see if you can access files outside your designated area.

C.

symcbean
+1 - I forgot about shared hosting!
thetaiko
A: 

Are you on a shared server and don't want other users of the same server instance to be able to get at your files? That'd be up to your server provider, then, to provide some sort of chroot or virtual system to keep your things in. For Apache, mod_suid can accomplish this nicely, and each vhost gets its own userid and permissions set.

If you want external users to not be able to get at your files, then unless you've badly munged your code, or the server's badly misconfigured, then all they'll get when they visit http://yourserver.com/connect.php is a blank page

Marc B