General questions on PHP security and Object Oriented Programming

[Fishcakes]

Hi

I am currently mostly learning procedural PHP but had a question about security.

 

Are hackers able to see connections to databases in procedural programming?

Would connections to databases need to be called from classes and methods instead? Or does it not matter that much?

[Strider64]

Object-oriented Programming does add better security as you can make the code protected or private, but any code is hack-able. The biggest security threat is between the user and the website as you don't what the user might try. It can be like playing whack-a-mole with them at times. My best advice is never trying to write your own security code, by that I mean like not writing your own password algorithm. Let that be done by PHP internal security functions/methods or a TRUSTED 3rd-party source. Just my .02 cents. 

Edited June 10, 2021 by Strider64

[mac_gyver]

define: Are hackers able to see ... anything in your server-side code?

if someone gains direct access to your server-side files or gets their server-side code to run on your server (which typically includes a file-manager/control-panel), they can see everything in all the files.

for the simplest case of someone just getting their server-side code running on your server to grab and output all main program (global) variables and defined constants, yes, database connection credentials defined within the main program scope are accessible. for this simple case only, using the local variable scope within a user written function/class-method or non-public visibility for properties/constants within a user written class would prevent access to these values.

if someone makes a http(s) request to your server-side files, as long as the server-side programming language is functioning, they can only see what your server-side code outputs in response to the request. for the extremely rare case where the web server is functioning but the server-side language is not, i.e. the raw php code would be output in response to a request, putting the server-side files containing things like database connection credentials either in a folder outside of the document root folder or if that option is not available inside a folder inside the document root folder but which has had http requests disabled for that folder will prevent http requests to those files.

[requinix]

To be clear, procedural versus object-oriented code has absolutely nothing to do with server security. Either people can see your code and files or they cannot.

[Psycho]

To add to @requinix's response, the communication to the database would be between the PHP server and the database server. The client should have no idea about how the connection is made. However, if you have "holes" in your application that allows the users to infiltrate your server-side code, then all bets are off. Unfortunately, the guidance on not creating those holes is an expansive subject. A forum is great for asking abut specific aspects, but for the big picture I would suggest looking for training and/or guides on the subject.