Avatar of foxymoron7
foxymoron7
 asked on

hide database login credentials from print_r, var_dump, reflection, etc.

Hi all,

Using WordPress as an example may help clarify my question.

If someone gains access to the server where the WordPress installation is located, they can upload a simple file to find out the login credentials for the installation's database.

simple file example:
<?php
require_once 'wp-load.php';
global $wpdb;
var_dump($wpdb);
?>

Open in new window


By uploading that file and calling it in a web browser I can see the dbuser, dbpass, dbhost, etc. properties of $wpdb.

How can one use a class that handles all database tasks and hide these properties from outsiders, or at least make them much more difficult to find out?  I've thought of holding the values in a separate class that gets called from the main class but the var dump would clue a snooper in as to what class to next run the var_dump on, so that doesn't seem effective unless you were to put the credentials many, many classes deep in a chain.

Thanks!
PHPMySQL ServerScripting Languages

Avatar of undefined
Last Comment
Ray Paseur

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Ray Paseur

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
foxymoron7

ASKER
Thanks Ray_Paseur,
Let's go with the assumption that one doesn't allow access to the server beyond any uploads that a cms or web application allows (pics, media files, etc) that would be placed in a folder on the server.  My skill set in the area of security is pretty weak so I always work under the assumption that any server can be accessed by someone that is skilled enough.  I'm confident in the overall security of my hosting provider so I'm asking more in a "what if, possibly, someday..." way.

If I store the values in a config file that is placed outside of the public server folders and called by the script, the values become accessible to a var_dump of the class once they are called and used by the class, correct?

But if I understand you correctly, I may be able to unset those properties after a connection is made to the database and that connection is stored as a property of the class object?  Using the $wpdb object from the initial example:

 $wpdb->dbh holds the connection resource and now the $wpdb object no longer needs to store the credentials used to create the connection and they can be unset after a simple test of the $wpdb->dbh property returns true?

Thank you.
Ray Paseur

I think that is correct.  I will try it and let you know what happens.
Ray Paseur

This tested out the way we want.
http://www.laprbass.com/RAY_mysql_CREATE_TEMPORARY_TABLE.php

Check the moving parts in lines 12-13, 37-41.  The rest is just the test structure.

<?php // RAY_mysql_CREATE_TEMPORARY_TABLE.php
error_reporting(E_ALL);
echo "<pre>";


// CONNECTION AND SELECTION VARIABLES FOR THE DATABASE
$db_host = "localhost"; // PROBABLY THIS IS OK
$db_name = "??";        // GET THESE FROM YOUR HOSTING COMPANY
$db_user = "??";
$db_word = "??";

// LIVE DATABASE CREDENTIALS ABOVE WEB ROOT
require_once('../db_info.php');


// OPEN A CONNECTION TO THE DATA BASE SERVER
// MAN PAGE: http://php.net/manual/en/function.mysql-connect.php
if (!$db_connection = mysql_connect("$db_host", "$db_user", "$db_word"))
{
    $errmsg = mysql_errno() . ' ' . mysql_error();
    echo "<br/>NO DB CONNECTION: ";
    echo "<br/> $errmsg <br/>";
}

// SELECT THE MYSQL DATA BASE
// MAN PAGE: http://php.net/manual/en/function.mysql-select-db.php
if (!$db_sel = mysql_select_db($db_name, $db_connection))
{
    $errmsg = mysql_errno() . ' ' . mysql_error();
    echo "<br/>NO DB SELECTION: ";
    echo "<br/> $errmsg <br/>";
    die('NO DATA BASE');
}
// IF WE GOT THIS FAR WE CAN DO QUERIES


// REMOVE THE VARIABLES THAT HOLD THE CREDENTIALS
unset($db_host, $db_name, $db_user, $db_word);

// PROVE THEY ARE NOT THERE ANY MORE
var_dump($db_host, $db_name, $db_user, $db_word);


// CREATING A TABLE
$sql = "CREATE TEMPORARY TABLE my_table (
        _key INT         NOT NULL AUTO_INCREMENT,
        name VARCHAR(24) NOT NULL DEFAULT '',
        PRIMARY KEY(_key)  )";
$res = mysql_query($sql);

// IF mysql_query() RETURNS FALSE, GET THE ERROR REASONS
if (!$res)
{
    $errmsg = mysql_errno() . ' ' . mysql_error();
    echo "<br/>QUERY FAIL: ";
    echo "<br/>$sql <br/>";
    die($errmsg);
}



// ESCAPING A DATA FIELD FOR USE IN MYSQL QUERIES
// MAN PAGE: http://php.net/manual/en/function.mysql-real-escape-string.php
// CREATE AN ARRAY OF NAMES
$names[] = mysql_real_escape_string("Williams");
$names[] = mysql_real_escape_string("Paseur");
$names[] = mysql_real_escape_string("O'Reilly");
$names[] = mysql_real_escape_string("Paseur");
$names[] = mysql_real_escape_string("Paseur");



// MAKING AN INSERT QUERY, USING THE ESCAPED STRINGS AND TESTING THE RESULTS
foreach ($names as $name)
{
    $sql = "INSERT INTO my_table ( name ) VALUES ( '$name' )";
    $res = mysql_query($sql);

    // IF mysql_query() RETURNS FALSE, GET THE ERROR REASONS
    if (!$res)
    {
        $errmsg = mysql_errno() . ' ' . mysql_error();
        echo "<br/>QUERY FAIL: ";
        echo "<br/>$sql <br/>";
        die($errmsg);
    }
} // IF WE GET THIS FAR, THE INSERT QUERIES ALL SUCCEEDED



// GET THE AUTO_INCREMENT ID OF THE LAST RECORD WE INSERTED
// MAN PAGE: http://php.net/manual/en/function.mysql-insert-id.php
$_key  = mysql_insert_id($db_connection);

echo PHP_EOL . "LAST KEY: $_key AND NAME WITH ESCAPE STRING INCLUDED: $name";
echo PHP_EOL;



// MAKING A SELECT QUERY AND TESTING THE RESULTS
$sql = "SELECT * FROM my_table ORDER BY name ASC";
$res = mysql_query($sql);

// IF mysql_query() RETURNS FALSE, GET THE ERROR REASONS
if (!$res)
{
    $errmsg = mysql_errno() . ' ' . mysql_error();
    echo "<br/>QUERY FAIL: ";
    echo "<br/>$sql <br/>";
    die($errmsg);
} // IF WE GET THIS FAR, THE QUERY SUCCEEDED AND WE HAVE A RESOURCE-ID IN $res SO WE CAN NOW USE $res IN OTHER MYSQL FUNCTIONS



// ITERATE OVER THE RESULTS SET TO SHOW WHAT WE SELECTED
while ($row = mysql_fetch_assoc($res))
{
    var_dump($row);
}

Open in new window

HTH, ~Ray
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
foxymoron7

ASKER
Thanks Ray_Paseur!

I ran a quick test of unsetting the values and the object remains usable for querying.  For my purposes keeping a live connection resource for the life of the object is not problem but I expect it may become one for high volume/traffic sites.  So viewers of this solution may want to explore that side of the solution further.

Thank you!
Ray Paseur

I think you might be able to unset the values inside the object.  There was no object in my test, but if you consider the variable scope both outside and inside the object, you will see that there are two copies of the variable.  Both copies would need to be nullified.

Thanks for the points, and thanks for using EE, ~Ray