Securing db connection

Dear All:

I am a problem. The website I have was developed by someone else. And today I found one funny thing about it. Who knows, maybe it is the way it should be.

To connect to mysql database, our site uses .ini file, which has name of the db, password and such.

This file is located in the same folder as a .php file responsible for making called to db.

What is really weird is that if someone knows the name of the folder in which these files are located and the name of our .ini file, they will be able to access .ini file from the web browser. And that means they can easily retrieve our login and password to the database.

I don’t like this and I think it is a huge security whole. Am I right? Should I do something about it and what can I do?

Expert’s help is need!
Alex.

Not an expert but… I believe that if you put that information in a PHP include file (filename.inc.php) then the server will treat it as a php file (because it is) and then remote users should no longer be able to download and view the content of said file, even if they do guess the file name. At least… it seems to work that way on my XAMPP setup I’m using right now. If this is a production environment on the World Wild Web and has some of the error reporting of PHP turned off, all the user should get even if they know the file name and attempt to view the source is a basically empty html page.

HTH,

Monte

Thanks for your contribution and it looks like I was not clear enough describing the issue.

Imagine, there is a file called: connentToDb.php

There is also a file called: loginDetails.ini which contains the following lines:
dbname = “databaseName”;
dbpassword = “databasePassword”;

When connectToDb.php is called in an attempt to create a connection to a database, it will read loginDetails.ini into an array, then retrieve each line of this .ini file and connect to the database.

I know that if someone even guesses the name of the connectToDb.php file and they try to reach it through web browser… obviously they will get nothing simply because .php is server side.

But if they guess the location and name of the .ini file, then I am in trouble. That means they will be able to type this into a web browser: http://www.example.com/includes/loginDetails.ini and they will be able to retrieve the name and password of my database!!!

So, that is a problem.

Someone??? Would appreciate any feedback.
Alex.

I would get rid of the ‘ini’ file and store the login information directly in the ConnectToDB.php file. It sounds like this is being used as an include itself, which is essentially what I suggested earlier. It doesn’t make much sense to have the main scripts source an include file which in turn sources another text file - which is vulnerable to outside snooping, as you noted.

As an example, this example database connection include is from the code archive for one of Sitepoint’s books…

db.inc.php:

<?php
$link = mysqli_connect('localhost', 'root', 'password');
if (!$link)
{
	$error = 'Unable to connect to the database server.';
	include 'error.html.php';
	exit();
}

if (!mysqli_set_charset($link, 'utf8'))
{
	$output = 'Unable to set database connection encoding.';
	include 'output.html.php';
	exit();
}

if (!mysqli_select_db($link, 'ijdb'))
{
	$error = 'Unable to locate the correct database.';
	include 'error.html.php';
	exit();
}
?>

Keeping sensitive information in a PHP file is generally secure as long as the PHP engine is working. But if for some reason the PHP engine fails to parse the file as PHP it can then be seen as text, as a PHP file is a text file.

IMHO the best way is to put the file with the sensitive information outside of the root folder. eg.

host/domain.com/index.php
host/domain.com/css/style.css
host/domain.com/images/logo.png
host/domain.com/script/navigation.js
host/bin/
host/lib/
host/cgi/

Only files under “domain.com” can be accessed by a direct HTTP request (if allowed).
Files in “bin”, “lib” and “cgi” can not be accessed by HTTP requests, but can be included from scripts under “host”

In the example above, the “index.php” can access a “db.ini” file like
require ‘…/lib/db.ini’;

Your “domain.com” might be called something else like htdocs or wwwroot or publichtml or whatever, but it works the same.

Verrrrry interesting…

Something I will definitely have to look into. I hadn’t considered the possibility of php not working and rendering the config files visible to the outside world.

Thanks,

Monte

I seen this before. I have in one of my books that it says to include all values such as db connection information within an .ini file. Hence making it more secure. But i can’t remember the reason why.

I would recommend like the others are saying is to keep the connection string in a php file outside the root.