A simple question about PHP/MySQL Security

  • RedBMedia
  • Proficient
  • Proficient
  • User avatar
  • Posts: 315

Post 3+ Months Ago

I have often read on forums and articles that one should not put the MySQL login information in the same script that the SQL statements are in. Most recommend placing a default connection script above the web root, and having all your scripts include that script before any MySQL statements are run. My question is this: WHY?

I mean I can't fathom an instance where placing the file above web root would make a difference. If an attacker had obtained the FTP information then they should have access to everything. Is there a way that hackers can gain access to a server's file system with out FTP? And if so, would they then be restricted to the web root???
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

I'm not sure, but I believe this train of thought comes from an era where people used "*.inc" files as includes instead of "*.php" files. In that situation, the information within the *.inc files could be visible to someone accessing it through a browser since the server generally isn't setup to parse *.inc files as PHP when they're requested directly.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

Also, don't forget about SQL injection which can yield root.

http://www.youtube.com/watch?v=7zZLdx1JmmQ

That's one of many videos on SQL injection.
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

one of the reason maybe in shared hosting, a badly configured database server can allow other websiteB's script to gain access if that websiteB does know about the mysql login information of websiteA and both website(A&B) is provided by the same hosting provider under same database server

FTP is a process and is responsible for file transfer, the only way to get access is to get hold of FTP by some program or means. HTTP also allows but your script will be parsed from the server before showing them. So only FTP is responsible, therefore only way is to gain access of ftp and I don't think u can restrict it to web root.

:D Also if an attacker gains access to ftp, then he/she will not steal your database info, but surely rest of the other scripts and put his own, because at that instance he/she own's the place.
  • LightningRider
  • Newbie
  • Newbie
  • LightningRider
  • Posts: 9

Post 3+ Months Ago

Well even if he did get FTP access, he would be able to get your database user info (from a config file) and write a script to give him all the database rows and tables through FTP.
About SQL Injection, mysql_real_escape_string() should work fine. (look it up on php.net if necessary)
  • dark_lord
  • Graduate
  • Graduate
  • User avatar
  • Posts: 162
  • Loc: India-Kolkata

Post 3+ Months Ago

now the question is

what a person can do by stealing MySQL login information ??

Assuming the server is well configured (and the above reason given by me can never happen) ?

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.