My application is connecting to a DB2 database via PHP (using the IBM_DB2 API).
The server discussed is not directly connected to the web; the main risk we are defending against is a compromised employee computer (that is connected to the web) being used to access the database via my application (whether using the application to read files directly, or using it to harvest credentials of privileged accounts and then proceeding to the database directly).
I’ve already set up new database accounts with minimal privileges for each unique task at hand (and have measures in place to ensure that my users must prove they have access), but I am concerned about the way I’m providing the connection arguments.
To connect to the database, I must provide arguments for the database name, user name, and user password (with user name and user password corresponding to an authorized Database account):
$this->dbName = "database_name_string"; $this->dbUser = "username_string"; $this->dbPass = "password_string";
db2_connect( $this->dbName, $this->dbUser, $this->dbPass )
I want to know if I need to store these in some other, more-secure way (and what that way would be). I’m thinking that if someone is reading my PHP files (not accessible by anyone other than myself and IT), I’m already screwed from a security standpoint. And even if they did get access to the said accounts, the accounts have read-only access to non-sensitive files.
But, if I were to extend the application’s functionality to allow access to more-sensitive files, I would want to know that I’ve handled this issue correctly. In fact, we will not extend the functionality unless we can verify that the methods we are using are secure. I also want to know if this method would be considered sloppy if it made it to production-level code.
I know I would feel better if I used some form of symmetric encryption to store the credentials in a config file somewhere, but I don’t know if that would actually improve anything at all. If we assume our theoretical attacker has hacked into my computer or an IT computer and can read our PHP to see the credentials with the first solution, wouldn’t we assume they read the php and see how to decrypt the credentials with the second solution? I guess it depends on whether or not they can gain access to wherever the credentials are stored?
Half of the reason I’m typing this is to help myself think through the problem completely, and the other half is to make sure somebody tells me where and how I’m doing things wrong, so feel free to tell me if I’m completely off the reservation here. Thanks.