ebolisa Posted August 7, 2020 Share Posted August 7, 2020 Hi, My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php). The bridge works fine and is used mainly for my IOT projects. In the same web folder, is located the conn.php code containing the server's credentials. The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned. TIA Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/ Share on other sites More sharing options...
requinix Posted August 7, 2020 Share Posted August 7, 2020 What is this "bridge"? Your code is safe in that people cannot read it directly. What you have to worry is about what all your code does. Have some script that outputs HTML files? Make sure it can't be tricked into outputting PHP files... Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580435 Share on other sites More sharing options...
benanamen Posted August 7, 2020 Share Posted August 7, 2020 What is this "bridge" you created? What do you mean "doesn't allow direct access to mysql Server"? What does Mysql have to do with where you are putting your Php code? Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580436 Share on other sites More sharing options...
ebolisa Posted August 7, 2020 Author Share Posted August 7, 2020 <?php include 'db_conn.php'; // Keep this API Key value to be compatible with the ESP32 code provided in the project page. If you change this value, the ESP32 sketch needs to match $api_key_value = "myKey"; $api_key = $board = $ip = ""; //printf('<pre>Contents of $_POST %s</pre>', print_r($_POST, true)); if ($_SERVER["REQUEST_METHOD"] == "POST") { //printf('<pre>Contents of $_POST %s</pre>', print_r($_POST, true)); //var_dump($_POST)."<br>"; $api_key = test_input($_POST["api_key"]); //printf('<pre>Contents of $api_key: %s</pre>', print_r($api_key, true)); if($api_key == $api_key_value) { $ip = test_input($_POST["ip"]); $board = test_input($_POST["board"]); $uptime = test_input($_POST["uptime"]); $temp = test_input($_POST["temp"]); $conn = OpenCon(); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } else { //echo "Connected!"."<br>"; } $sql = "INSERT INTO washupips (board, uptime, temp, ip) VALUES ( '" . $board . "', '" . $uptime. "', '" . $temp . "','" . $ip . "')" ; //printf('<pre>Contents of $sql %s</pre>', print_r($sql, true)); if ($conn->query($sql) === TRUE) { echo "New record created successfully"; } else { echo "Error: " . $sql . "<br>" . $conn->error; } $conn->close(); } else { echo "Wrong API Key provided."; } } else { echo "No data posted with HTTP POST."; } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> Ok, I see the confusion, perhaps bridge is not the right definition in English. Normally, to store data to a DB we access it via an IP, no matter where that location is. In my case and for security reasons, the IP is not accessible via the Internet, but it's accessible via a web server since both servers are in the same ISP's network. So, I'm using a "bridge" to hop from the ISP's web server to the DB server as shown in the above code. Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580438 Share on other sites More sharing options...
requinix Posted August 7, 2020 Share Posted August 7, 2020 Does your host provide some phpMyAdmin package or similiar? It would be better to use something they've already set up than writing your own. Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580439 Share on other sites More sharing options...
ebolisa Posted August 7, 2020 Author Share Posted August 7, 2020 Yes, I have phpMyAdmin access but only once logged in their system. Do not have access to it directly. Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580440 Share on other sites More sharing options...
requinix Posted August 7, 2020 Share Posted August 7, 2020 So log into their system and use it. Don't make your own script to do random database stuff. Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580444 Share on other sites More sharing options...
ebolisa Posted August 7, 2020 Author Share Posted August 7, 2020 I understand, but I need to automate the process for my IOT projects 🤔 Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580446 Share on other sites More sharing options...
requinix Posted August 7, 2020 Share Posted August 7, 2020 Ah. Judging by the description I thought you needed this script for you personally to run the occasional database query. You need to think of this as an API instead of a "bridge". Each IoT device has a key to identify it. Your script takes the key it receives and verifies it is valid and good for whatever action. Only then does it insert data. Make sure all of this is over SSL. It needs to be. You also need to switch to prepared statements instead of using that test_input thing you have. Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580447 Share on other sites More sharing options...
ebolisa Posted August 7, 2020 Author Share Posted August 7, 2020 5 minutes ago, requinix said: You also need to switch to prepared statements instead of using that test_input thing you have. Could you give me a hint on how to do that, please. Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580448 Share on other sites More sharing options...
requinix Posted August 7, 2020 Share Posted August 7, 2020 If you're using mysqli then look here. If you're using PDO then look here. Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580449 Share on other sites More sharing options...
benanamen Posted August 7, 2020 Share Posted August 7, 2020 By the way, your test_input function is a block of code from the 90's that needs to be taken behind the barn and shot and buried forever. Surprised to still see that floating around. Additionally, NEVER EVER put variables in your query. You need to use prepared statements Quote Link to comment https://forums.phpfreaks.com/topic/311290-security-question/#findComment-1580450 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.