Security in PHP BD Access

Asked

Viewed 900 times

0

I’m setting up a website, and I’m not sure how to secure my database. I currently have a "Security" folder with the file connection.php who connects with the comic book. I give a include in this file on every page I need a connection to. The question is: What is the right way to access BD? This file is safe?

The connection file:

<?php $databaseHost = 'meu host';$databaseName = 'meu bd';$databaseUsername = 'meu user';$databasePassword = 'meu password';$mysqli = mysqli_connect($databaseHost, $databaseUsername, $databasePassword, $databaseName);?>

In the pages I need, only the include ("seguranca/connection.php");

  • 2

    More details, which method do you connect? Any default? How do you do? What security problem are you talking about? XSS, CSRF, SQL INJECTION? Can’t calculate without variables. Try edit to give more information

1 answer

1

Just answer:

If his code had to be exposed to the public at any time, he would expose his credentials?


If you do:

$login = 'usuario'
$senha = 'minhasenha';

That will never be a good idea, this is even called hard-coded password and also has his friends, the hard-coded Cryptographic key. Logico that storing the public key in the code (only able to encrypt and verify signatures) in general is not a bad idea, but this is not the case.


One of the very simple alternatives is to use the getenv() that obtain a user Environment variable, an example:

$pdo = new \PDO(
    'mysql;host=100.100.100.100;dbname=banco_de_dados',
    getenv('MYSQL_USUARIO'),
    getenv('MYSQL_SENHA')
);


$mysqli = new \mysqli('100.100.100.100', 
     getenv('MYSQL_USUARIO'),
     getenv('MYSQL_SENHA'),
     'banco_de_dados'
);

Obviously it is necessary to set the environment variable on the production server before and only it should have this information.

This is also done for API keys, for example:

$proof = hash_hmac('sha256', $fbToken, getenv('FACEBOOK_SECRET'));

$curl = curl_init('https://graph.facebook.com/me/accounts?appsecret_proof=' . $proof . '&access_token=' . $fbToken');
//...

Note: the sha256 is defined directly in the code by which is the only method supported by Facebook.


Using the getenv() even if your code is exposed both the passwords of the database and the secret key Facebook are safe in this example. It is also ideal that you use physically distinct servers, one for PHP and another server for Mysql.

Has already been defined $senha_do_banco = '123456789' your exposed code will cause much bigger problems, giving the database information and key of the Facebook application.

Also your production server will have (and should have!) different development passwords. Once the environment variable is set each server will have different passwords without ever having to change the code.


Besides, to do this:

index php.

include('conexao.php');
echo 'Você está no index';

It is useless, if the interpreter fails (or is forced to fail) the "user" can go to site.com/conexao.php and will get the information, although this can be considered "rare".

Putting the file in a non-accessible location would be less worse to use:

index php.

include('../conexao.php');
echo 'Você está no index';

I recommend you read:

  • I do it the way you said, declaring the variables in the connection file, but I didn’t understand how getenv would be safer, since the tb variables are declared in the same file. Or did I misunderstand?

  • Got it wrong. The getenv obtain a environment variable. For example in Windows 10 you can set in "Edit user environment variables", searching at start, and set the variable. They will be outside your code and accessible within it. If you create a Windows user variable of "FACEBOK_SECRET" (or any name) you can access it within PHP.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.