Security question

[ebolisa]

Hi,

My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php).

The bridge works fine and is used mainly for my IOT projects.

In the same web folder, is located the conn.php code containing the server's credentials.

The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned.

TIA

[requinix]

What is this "bridge"?

Your code is safe in that people cannot read it directly. What you have to worry is about what all your code does. Have some script that outputs HTML files? Make sure it can't be tricked into outputting PHP files...

[benanamen]

What is this "bridge" you created? What do you mean "doesn't allow direct access to mysql Server"? What does Mysql have to do with where you are putting your Php code?

[ebolisa]

<?php

include 'db_conn.php';

// Keep this API Key value to be compatible with the ESP32 code provided in the project page. If you change this value, the ESP32 sketch needs to match
$api_key_value = "myKey";
$api_key = $board = $ip = "";
//printf('<pre>Contents of $_POST %s</pre>', print_r($_POST, true));

if ($_SERVER["REQUEST_METHOD"] == "POST") {

    //printf('<pre>Contents of $_POST %s</pre>', print_r($_POST, true));
    //var_dump($_POST)."<br>";
    
    $api_key = test_input($_POST["api_key"]);
    
    //printf('<pre>Contents of $api_key: %s</pre>', print_r($api_key, true));
    
    if($api_key == $api_key_value) {
        $ip = test_input($_POST["ip"]);
        $board = test_input($_POST["board"]);
        $uptime = test_input($_POST["uptime"]);
        $temp = test_input($_POST["temp"]);
        
        $conn = OpenCon();
        
        // Check connection
        if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
        }
        else {
            //echo "Connected!"."<br>";
            }

        $sql = "INSERT INTO washupips (board, uptime, temp, ip) VALUES ( '" . $board . "', '" . $uptime. "', '" . $temp . "','" . $ip . "')" ;
        
        //printf('<pre>Contents of $sql %s</pre>', print_r($sql, true));
        
        if ($conn->query($sql) === TRUE) {
            echo "New record created successfully";
        }
        else {
            echo "Error: " . $sql . "<br>" . $conn->error;
        }
    
        $conn->close();
    }
    else {
        echo "Wrong API Key provided.";
    }

}
else {
    echo "No data posted with HTTP POST.";
}

function test_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

Ok, I see the confusion, perhaps bridge is not the right definition in English.

Normally, to store data to a DB we access it via an IP, no matter where that location is. In my case and for security reasons, the IP is not accessible via the Internet, but it's accessible via a web server since both servers are in the same ISP's network.

So, I'm using a "bridge" to hop from the ISP's web server to the DB server as shown in the above code.

[requinix]

Does your host provide some phpMyAdmin package or similiar? It would be better to use something they've already set up than writing your own.

[ebolisa]

Yes, I have phpMyAdmin access but only once logged in their system. Do not have access to it directly.

[requinix]

So log into their system and use it. Don't make your own script to do random database stuff.

[ebolisa]

I understand, but I need to automate the process for my IOT projects 🤔

[requinix]

Ah. Judging by the description I thought you needed this script for you personally to run the occasional database query.

You need to think of this as an API instead of a "bridge".

Each IoT device has a key to identify it. Your script takes the key it receives and verifies it is valid and good for whatever action. Only then does it insert data.

Make sure all of this is over SSL. It needs to be. You also need to switch to prepared statements instead of using that test_input thing you have.

[ebolisa]

 

5 minutes ago, requinix said:

You also need to switch to prepared statements instead of using that test_input thing you have.

Could you give me a hint on how to do that, please.

[requinix]

If you're using mysqli then look here. If you're using PDO then look here.

[benanamen]

By the way, your test_input function is a block of code from the 90's that needs to be taken behind the barn and shot and buried forever. Surprised to still see that floating around. Additionally, NEVER EVER put variables in your query. You need to use prepared statements