PHP - store sql connection credentials where?

[CuriousMike]

Both of my "Learn PHP + MySQL" books describe this:

$con = mysql_connect("localhost","mysql_user","mysql_pwd");

Is it considered normal to put the credentials in the .PHP file, or is there a "safer" place to put them?

 

[beginner99]

Put it in a separate file (class/function) that returns the connection. That file should not be web accessible. plus the user used should have as little privileges as possible.

 

[CuriousMike]

My question isn't where to put the "mysql_connect" call, rather: Do you hard-code the "mysql_user" and "mysql_pwd" in the code ?

Is is there a way that those values can be put in some sort of .ini file?
Or would you put them in a db?

 

[Broheim]

My question isn't where to put the "mysql_connect" call, rather: Do you hard-code the "mysql_user" and "mysql_pwd" in the code ?

Is is there a way that those values can be put in some sort of .ini file?
Or would you put them in a db?

hardcode them, if someone can read your php files then you have bigger issues.

 

[CuriousMike]

hardcode them, if someone can read your php files then you have bigger issues.

OK, thanks.

I think I have a follow-up.

With regards to security, how frequently does a hacker get to the level of being able to get to the PHP files?

The reading I've done on PHP has me sanitizing user-input via the various built-in php methods.
User passwords are MD5'd and salted.

I guess another way of asking this is if MySQL attacks make up most of the security breaches that are public?

 

[beginner99]

hardcode them, if someone can read your php files then you have bigger issues.

I see what you mean but the system admin (which is not necessarily yourself) can usually see the file and hence the password. And if that password is for a database that contains sensitive data that admin should not be able to see it is kind of an issue.

 

[Broheim]

OK, thanks.

I think I have a follow-up.

With regards to security, how frequently does a hacker get to the level of being able to get to the PHP files?

The reading I've done on PHP has me sanitizing user-input via the various built-in php methods.
User passwords are MD5'd and salted.

I guess another way of asking this is if MySQL attacks make up most of the security breaches that are public?

if your server is fairly secure then it's very rare for a hacker to gain read access to your files, but there's no absolutes in security, there's always going to be security holes.

I think it's a draw between SQL injections and XSS attacks (cross site scripting), but I haven't seen any statistics so I don't know. but since scriptkiddies figured out they can use google to expose SQLi vulnerabilities that might have changed.

 

[Broheim]

I see what you mean but the system admin (which is not necessarily yourself) can usually see the file and hence the password. And if that password is for a database that contains sensitive data that admin should not be able to see it is kind of an issue.

with any interpreted language there's no feasable way of obfuscating/hiding the password from someone with root access. that's why you need to trust your sys admin, if you don't you need to fire his ass the second you have doubts.

 

[Cogman]

with any interpreted language there's no feasable way of obfuscating/hiding the password from someone with root access. that's why you need to trust your sys admin, if you don't you need to fire his ass the second you have doubts.

Yep, access to the system as root = He can pretty much do whatever he wants. If you are trying to secure things against your system admin, you have some pretty big issues (as it is generally the system admin's responsibility to keep the system secure.)

 

[Markbnj]

Yep, access to the system as root = He can pretty much do whatever he wants. If you are trying to secure things against your system admin, you have some pretty big issues (as it is generally the system admin's responsibility to keep the system secure.)

There are many categories of data that need to be secured against unauthorized access from the inside as well as the outside. When I was working at an online banking company we secured all ssn's, account numbers, and passwords by encrypting them in the database. The same can also be done for credentials stored in external config files. It's easy with ASP.NET, and I assume there is some way to do the same with php.

 

[Broheim]

There are many categories of data that need to be secured against unauthorized access from the inside as well as the outside. When I was working at an online banking company we secured all ssn's, account numbers, and passwords by encrypting them in the database. The same can also be done for credentials stored in external config files. It's easy with ASP.NET, and I assume there is some way to do the same with php.

ASP.NET is compiled and PHP is interpreted, so there's no point to encrypting db credentials with php because somebody with read access can just read the decryption algorithm, you can't in ASP.net because you'd need to have access to the source code (well you can reverse-engineer it if you devote enough time and ressources to it, obfuscating the VB.NET/C#/whatever code will make it much harder though).

 

[iCyborg]

ASP.NET is compiled and PHP is interpreted, so there's no point to encrypting db credentials with php because somebody with read access can just read the decryption algorithm, you can't in ASP.net because you'd need to have access to the source code (well you can reverse-engineer it if you devote enough time and ressources to it, obfuscating the VB.NET/C#/whatever code will make it much harder though).

I'm not a DB guy, but what kind of a modern security mechanism relies on attackers' not knowing the details of the encryption/decryption algorithm? That just sounds wrong.

 

[Markbnj]

Does php have no mechanism to call out to a compiled module that could do the decryption and return the creds in stdout or something?

 

[Broheim]

Does php have no mechanism to call out to a compiled module that could do the decryption and return the creds in stdout or something?

php ships with mcrypt, but you still have to hardcode the decrytion key into your code... so yeah.

 

[beginner99]

ASP.NET is compiled and PHP is interpreted, so there's no point to encrypting db credentials with php because somebody with read access can just read the decryption algorithm, you can't in ASP.net because you'd need to have access to the source code (well you can reverse-engineer it if you devote enough time and ressources to it, obfuscating the VB.NET/C#/whatever code will make it much harder though).

.net and java are not really compiled. the bytecode can be converted back to source code with free apps. So no hard re-engineering needed. So putting a symmetrical encryption key into your code inst a good idea too in .net or java.

Of course you would have to use a public key (eg asymmetrical cryptography) for decryption and store the encrypted password in a separate file.
And now that I'm writing it the password could easily be determined by debugging.

 

[Broheim]

I'm not a DB guy, but what kind of a modern security mechanism relies on attackers' not knowing the details of the encryption/decryption algorithm? That just sounds wrong.

I wasn't being precise, my bad, you're always going to hardcode your decryption key somewhere and if the attacker nows your key and algorithm then he can decode it as easily as you can.

 

[Broheim]

.net and java are not really compiled. the bytecode can be converted back to source code with free apps. So no hard re-engineering needed. So putting a symmetrical encryption key into your code inst a good idea too in .net or java.

Of course you would have to use a public key (eg asymmetrical cryptography) for decryption and store the encrypted password in a separate file.
And now that I'm writing it the password could easily be determined by debugging.

yes, java and .net is compiled to bytecode, and I did write that obfuscating your code will make it harder to reverse engineer.

 

[iCyborg]

I wasn't being precise, my bad, you're always going to hardcode your decryption key somewhere and if the attacker nows your key and algorithm then he can decode it as easily as you can.

You would not store the key in plain text, you would use hash+salt to generate an encrypted representation of the password, so not even admin with root access should know other user's passwords. He can reset them of course, so if someone has root access, you're screwed one way or another, but that's a different issue...

 

[Broheim]

You would not store the key in plain text, you would use hash+salt to generate an encrypted representation of the password, so not even admin with root access should know other user's passwords. He can reset them of course, so if someone has root access, you're screwed one way or another, but that's a different issue...

you can't decrypt a hash, well you can but it's a pain in the butt to bruteforce and I only know of a few mathmaticians who's broken weaker hashes with other methods, so only stuff like passwords you enter everytime you log on makes sense to hash (and you should always do so, always, never ever store passwords as anything else than a hash, because nobody but the user needs to know the pass), but the OP was asking about db credentials which is standard practice to just hardcode because no matter what you do your system needs to know them inorder to connect to the db, so you won't be able to keep them from someone with access to your source code.

 

[beginner99]

You would not store the key in plain text, you would use hash+salt to generate an encrypted representation of the password, so not even admin with root access should know other user's passwords. He can reset them of course, so if someone has root access, you're screwed one way or another, but that's a different issue...

And how do you pass that hashed password to php's mysql(i) function? It doesn't work. You need to pass it in plain text.

ok, for me this thread was quite helpful a t understanding few things.

 

[sourceninja]

I have a class that returns a singleton database connection. I store the user/pass in a separate INI file. The ini file is not done for security reasons, it is done so that changing the database type, username, password, port, etc can be done without editing source code.

These files of course are set to be readable by as narrow a range of users as possible.

 

[iCyborg]

And how do you pass that hashed password to php's mysql(i) function? It doesn't work. You need to pass it in plain text.

ok, for me this thread was quite helpful a t understanding few things.

OK, I see your point (and Broheim's, should've read the posts more carefully...), it's the password for DB Connect supplied by the system, not something some user would supply. In that case, I don't see what could one do better than what's in your first answer.