Securing php mysql scripts

[chrischen]

So I have a php mysql powered website. Basically for every page that needs to connect to the database I include the database connection file. Are there any security risks to this, for example, someone on another server including my files?

[monkeytooth]

Theres always a risk, but on the flip side of that theres always a work around to help prevent such risks.. the easiest of them is give high priority files like that a unique name consisting of numbers and letters and make it about 12+ characters long.. then pending on the level of access you have over your server.. you could always restrict access to the file. Also use unique database table names, row names, etc.. Also make the file Read Only, if you are able to use htaccess, you could also make it so that file is only usable via your domain name, as well as use it to redirect someone one tempts to access the file by itself. Theres a million and one ways to hack a site and a million and one ways to prevent it figuratively speaking.. But for your common would be hacker.. Just the basics and a little extra are what you need to worry about.

 

Also Remember Sanitize your Database inputs when working with forms of any kind.. be a simple user login or complex form entry. I have found thus far that being unique with naming high risk files.. and unique in naming high risk areas of my database's are always an excellent detourant..

 

Anyway.. commonly you don't want your connection info hardcoded into any give file minus the connection config file.. one if all your files have it then potential of someone accessing it by managing to download a php file is greater.. 2 if you practice good security by changing passwords every x ammount of days then it makes it easier to update the over all script rather then go file by file..

[Sam Granger]

I don't believe thats a problem .

 

Try visiting your config file. It will display as plain html - unless its a txt file or whatever, but I assume you have variables in php.

 

I believe the other server would include a blank html file which won't get the person anywhere. 

 

And like the poster above said, chmod the file to read only

[revraz]

Read only will do what?  Let them read it, so that will just not let them change it.

 

But since all the entries in the file is .php, they can't view it.

 

Also, how would they even know the name of your file and it's folder?

[revraz]

Also, some webhosts (like mine) doesn't even allow access to the mysql database unless it's from within the domain.

[monkeytooth]

All valid points.. However I based my input on the general what if factor, it would be a rare thing to pull off.. as they said, also how would they know any of that stuff.. but again What if.. I dunno, maybe im just over paranoid and handle mine the way I do.. but even if not, its worked so far lol..

 

 

[chrischen]

OK so i have an index.php file and inside it's like this:

 

<?php include('/databaseconnection.php'); ... blah blah ?>

 

If someone were to include my index.php from an external server they wouldn't be able to access my database right?

 

Also what is sql injection attacks and cross site scripting?

[Sam Granger]

SQL Injection occurs when you have a variable in your sql query that a user can modify.

 

Before putting user entered info or info you can edit in the url ($_POST, $_GET etc...) save it as a variable and use mysql_real_escape_string to make it sql safe. eg: $username = mysql_real_escape_string($_POST["username"]);

 

Example of sql injection.

 

// user input that uses SQL Injection

$name_bad = $_POST["username"]; // they enter 'OR 1=1

 

//inturn the SQL query below will look like the following

 

$query_bad = "SELECT * FROM members WHERE username = ''OR 1=1";

[chrischen]

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

 

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

 

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

 

So this function that dreamweaver uses would work for that?

[revraz]

It doesn't work like that.  Try it yourself, include someone else's index.php page.

 

 

If someone were to include my index.php from an external server they wouldn't be able to access my database right?