Hello,

I've got a few questions regarding 'security'. I've got a server on which I do some PHP and MySQL work. Is it possible for an outsider to view the contents of my php file? And I mean the script, not the actual output.
I'm asking this because the server is mostly open-dir, so I can browse it easily myself. In my scripts I connect to my MySQL Database with a username and password. Is it possible for anyone to see the username and password? And IF they can, would they be able to connect to my Database with that username and password?
I'm just a little worried because the server is not actually mine, it belongs to my father, but I don't want to risk him losing important data.

Thanks in advance,
Maqrkk

In my scripts I connect to my MySQL Database with a username and password. Is it possible for anyone to see the username and password?

No, it's not possible for them to view the source code of your PHP scripts over HTTP. That is, of course, supposing that:
- you have Apache configured for handling PHP files correctly (which I'm sure you do, because your scripts work)
- your script filenames end in .php (at the very least if they are available over HTTP ie. inside your public_html directory, but it's good practice to name all your PHP scripts with names that end in .php)

That second requirement is a very stupid way to get your database info stolen, so make sure that all your PHP scripts end in .php. Sometimes people would use names like database.php.inc, and when someone requests it over HTTP Apache doesn't process it as PHP and serves it as plaintext. Not good.

Also, it is possible for them to view your source code if they can get your application to serve it to them. For example, suppose you have a PHP file that has the following in it:


echo file_get_contents($_GET['file']);
This will enable them to view any file they wish on your server, including your PHP scripts. That is why when developing for PHP it is critical to keep security in mind at all times and to never trust user input. This includes all $_GET, $_POST, $_REQUEST and $_COOKIE variables, all file uploads, all headers sent in the HTTP request, session IDs, and so on. 99% of all security vulnerabilities in websites built using PHP are due to failing to properly validate user input (and it gives PHP the reputation of being "insecure", bah).


And IF they can, would they be able to connect to my Database with that username and password?

If your application can, then so can they.

Thanks for the quick reply!

So if I understand this correctly, if I just name all my php files properly and be very careful with user input, there is nothing to worry about?

If I do all this, is there any way someone could 'enter' my database and erase/change data on it?

So if I understand this correctly, if I just name all my php files properly and be very careful with user input, there is nothing to worry about?

That's right. On a side note, if you're worried about your database you might want to read up about SQL Injection attacks. Again, it is an issue that is caused by not properly handling user input, but it is specifically geared towards hijacking SQL queries.


If I do all this, is there any way someone could 'enter' my database and erase/change data on it?

If you code your application properly and securely, then you have little to worry about. Your application isn't the only way to gain access to your database though. One thing you'll also have to do is to make sure your MySQL access right are configured correctly. For example, you wouldn't believe how many MySQL servers are out there with the default or even no password for the root account! For additional security, make your passwords long and complicated.

Then there's common-sense security measures like not keeping your passwords in plain sight somewhere else, regularly updating your software, using firewalls, etc. Most of these are your host's responsibility, but it's good to be aware of what's involved in keeping your data secure.

Thanks, I think I'm good then. I'll read up on the SQL injection stuff, but I think I'm good for now, currently it's only a few people who even know about my site. Thanks for your replies!