Jump to content

General questions on PHP security and Object Oriented Programming


Fishcakes

Recommended Posts

Hi

I am currently mostly learning procedural PHP but had a question about security.

 

Are hackers able to see connections to databases in procedural programming?

Would connections to databases need to be called from classes and methods instead? Or does it not matter that much?

Link to comment
Share on other sites

Object-oriented Programming does add better security as you can make the code protected or private, but any code is hack-able. The biggest security threat is between the user and the website as you don't what the user might try. It can be like playing whack-a-mole with them at times. My best advice is never trying to write your own security code, by that I mean like not writing your own password algorithm. Let that be done by PHP internal security functions/methods or a TRUSTED 3rd-party source. Just my .02 cents. 

Edited by Strider64
Link to comment
Share on other sites

define: Are hackers able to see ... anything in your server-side code?

if someone gains direct access to your server-side files or gets their server-side code to run on your server (which typically includes a file-manager/control-panel), they can see everything in all the files.

for the simplest case of someone just getting their server-side code running on your server to grab and output all main program (global) variables and defined constants, yes, database connection credentials defined within the main program scope are accessible. for this simple case only, using the local variable scope within a user written function/class-method or non-public visibility for properties/constants within a user written class would prevent access to these values.

if someone makes a http(s) request to your server-side files, as long as the server-side programming language is functioning, they can only see what your server-side code outputs in response to the request. for the extremely rare case where the web server is functioning but the server-side language is not, i.e. the raw php code would be output in response to a request, putting the server-side files containing things like database connection credentials either in a folder outside of the document root folder or if that option is not available inside a folder inside the document root folder but which has had http requests disabled for that folder will prevent http requests to those files.

Link to comment
Share on other sites

To add to @requinix's response, the communication to the database would be between the PHP server and the database server. The client should have no idea about how the connection is made. However, if you have "holes" in your application that allows the users to infiltrate your server-side code, then all bets are off. Unfortunately, the guidance on not creating those holes is an expansive subject. A forum is great for asking abut specific aspects, but for the big picture I would suggest looking for training and/or guides on the subject.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.