Just wondering is this could be a potential security problem with MySQL and PHP:
I have a connect.php file on a server, if someone used require(http://myurl.com/connect.php/);, would this allow them access to my database?
Thanks in advance
No, but for additional security, it's best to keep your sensitive files outside of the web root, in case a misconfiguration of your webserver breaks PHP and exposes it as plain text.
No, that would not allow them to connect to your database. When they require your connect.php over Internet, they get what is produced by this php script as output. In your case, your php script (connect.php) probably produces nothing as output (it just connects to db and terminates.
No, PHP variables are not accessible client side. For example a file like this
<?php
// Create connection
$con=mysqli_connect("example.com","peter","abc123","my_db");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
The $con variable would not be accessible publicly.
Probably not. If "someone" does require(http://myurl.com/connect.php/); from his server (and has the inclusion via http enabled, see http://www.php.net/manual/en/function.include.php), then his server connects to your server and fetches the interpreted output of your connect.php.
If you have 'server side include' enabled - yes.
Read about allow_url_include directive: http://www.php.net/manual/en/filesystem.configuration.php
Related
Is it secure to use a PHP file with connection parameters, and include that file to the page?
example:
include("connect.php");
connect.php:
$con=mysqli_connect('localhost','root','','database')
or
die(mysqli_connect_error($con)."- In line: ".__LINE__);
mysqli_set_charset($con,'utf8');
Yes, because the include is happening server-side. You should look up some information about server-side programming and client-side programming!
Also MySQL functions are officially deprecated and MySQLi or PDO should be used instead!!!
Yes, this is fine though it might be better if you used require() so that if for whatever reason including the connect info fails, the code execution stops. include() will continue to execute the script even if the command did not succeed, which can cause error information and/or information only required if a connection is successful to be exposed (not generally recommended).
For even more security, you can move the connection info file out of the public web root (e.g. if web root is /home/data/files then moving it to /home/data then including /home/data/connect.php or ../connect.php - if your web host allows this). This will mean it cannot be accessed via HTTP.
I have:
<?php define('DB_SERVER', 'localhost')
If I put this constants.php file on my web host's server, is it still 'localhost'? Or something else.
I use hostmonster.com for my website. Does that replace localhost?
Yes, you should still use 'localhost' to connect to the database server.
Have a look at the hostmonitor help, 'Using the database'.
https://my.hostmonster.com/cgi/help/6
Using the Database
After doing all these steps, create the database's tables either via
phpMyAdmin, MySQL software or use an online PHP or Perl script.
Version: MySQL 5
Username: username_dbuser
Database Name: username_dbname
Hostaddress: localhost
Port: 3306
Obviously, use your own database username and database name :)
(The ones you got when creating the database)
It's a string. A simple, hardcoded string. It won't magically change, because it's not a variable. 'localhost' will always be 'localhost'.
No, it doesn't. You define here a PHP constant, not a value that comes from server's headers (localhost)
I have two servers on my local network - one a web frontend and the other a MySQL backend. I have a PHP script that looks like this:
<?php
error_reporting(-1);
echo "Connecting...\n";
$link = mysql_connect("192.168.1.15", "-----", "-----") or die(mysql_error());
echo "Communicating with the server...";
mysql_query("INSERT INTO .....
//More code down here...
?>
This script is called on my web frontend to connect to the backend server. When this script is accessed from the local network (i.e. when I open the page by going to http://192.168.1.14), the script outputs
Connecting...
Communicating with the server...
and a row is added to the database, as it should. However when I connect remotely (i.e. going to http://myDomainName.com/mysql_insert_script.php) from a connection not on the local network, all I see is:
Connecting...
No error messages follow, the script just cuts off, and no data is added to the database. When I place a second, 'proxy' script on the server that simply requires() the above script and then I access the proxy remotely, everything works fine. Below is the proxy script, so you can get a better idea of what works and what does not:
<?php
//this script makes it appear that the mysql_script is being viewed from the local network
//I exist on the web frontend at 192.168.1.14
require("http://192.168.1.15/mysql_insert_script.php");
?>
I am sorry if I can't provide any more information, but I am stumped. Any help would be appreciated.
Chris
P.S. - I have verified that the mysql server is accessible from external hosts on the local network, but I have a firewall that prevents connections from outside my network. I don't think this would matter, however, as the MySQL server and the PHP script connecting to it are both run on the local net.
you got wrong server name
I have just moved my host to another machine but now a problem has occured. I get different mysql results from php. To be more spefecific, php returns the last result when i got back-up. I am checking database via mysql console but there are new entries. But php continues to return the old results. What do i need to do fix this?
P.S i can download php files which are on my new host. I can see the source code. Weird...
Thank you.
Your php might still be connecting to the old database
If you can download the php files, your server isn't set up to run PHP and/or has a mis-configured .htaccess file
Check your database connection code.
It's possible that you're connecting to a remote host, rather than 'localhost':
$mysql_connection = mysql_connect('mysql.example.com', 'user', 'pass');
There is another possibility, different databases:
mysql_select_db('using_old_db', $mysql_connection);
I was wondering (and used Google with no clear result) if there is any way to connect to a MySQL database with PHP using a hashed password. Say I have the following:
Password (plain): 'foobar'
Password (sha1): '8843d7f92416211de9ebb963ff4ce28125932878'
Now I would like to connect to MySQL like this (using the mysql_* function as example, I'm using PDO though):
$db_link = mysql_connect ( 'localhost', 'user', '8843d7f92416211de9ebb963ff4ce28125932878' );
I this possible? Have anyone done this before?
Then the "hash" would be the password. What would be the benefit?
The short answer is no.
But, just wondering... what is your real concern? Someone hacking into your server and discovering your password?
the usage case would be having multiple developers editing the .php file that contains the sql connect password that you might not want them to know.
I think one solution would be to move the connect statement out to a file like so, make sure you don't have a $password variable though cause someone could just call it and print it out later in their .php file
mysql.php
<?php
mysql_connect('db.cs.dal.ca','user','password');
#mysql_select_db($database) or die( "Database Error ".mysql_error());
?>
and only give your self rw------- permissions to the mysql.php file, then in all of your group accessible .php files you can just include that file to evoke a connection.
index.php
<?php include("mysql.php") ?>
<!-- some web content -->
<?php mysql_close(); ?>
and give your developers group rw-rw---- permissions on all the other .php files, as long as the owner of the mysql.php file can read it should executed on the php server..... i think.
you can also exclude mysql.php from git for example, and have developers run their own local copy of a DB with their own mysql.php file and just provide a stripped down copy of your production database for local development and testing
Simple answer is "You can't."
I know what you are trying to accomplish: You are probably on some shared hosting plan and cannot put your config file above the html folder.
Stefan is thinking that a hacker would just be hunting for the config file and wants to make him have to work for the info. Once the hacker realizes he needs more info, he has to crack the site a second time.
This has nothing to do with a table of usernames & passwords. This is for the MySQL config file.