foxymoron7
asked on
hide database login credentials from print_r, var_dump, reflection, etc.
Hi all,
Using WordPress as an example may help clarify my question.
If someone gains access to the server where the WordPress installation is located, they can upload a simple file to find out the login credentials for the installation's database.
simple file example:
By uploading that file and calling it in a web browser I can see the dbuser, dbpass, dbhost, etc. properties of $wpdb.
How can one use a class that handles all database tasks and hide these properties from outsiders, or at least make them much more difficult to find out? I've thought of holding the values in a separate class that gets called from the main class but the var dump would clue a snooper in as to what class to next run the var_dump on, so that doesn't seem effective unless you were to put the credentials many, many classes deep in a chain.
Thanks!
Using WordPress as an example may help clarify my question.
If someone gains access to the server where the WordPress installation is located, they can upload a simple file to find out the login credentials for the installation's database.
simple file example:
<?php
require_once 'wp-load.php';
global $wpdb;
var_dump($wpdb);
?>
By uploading that file and calling it in a web browser I can see the dbuser, dbpass, dbhost, etc. properties of $wpdb.
How can one use a class that handles all database tasks and hide these properties from outsiders, or at least make them much more difficult to find out? I've thought of holding the values in a separate class that gets called from the main class but the var dump would clue a snooper in as to what class to next run the var_dump on, so that doesn't seem effective unless you were to put the credentials many, many classes deep in a chain.
Thanks!
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I think that is correct. I will try it and let you know what happens.
This tested out the way we want.
http://www.laprbass.com/RAY_mysql_CREATE_TEMPORARY_TABLE.php
Check the moving parts in lines 12-13, 37-41. The rest is just the test structure.
http://www.laprbass.com/RAY_mysql_CREATE_TEMPORARY_TABLE.php
Check the moving parts in lines 12-13, 37-41. The rest is just the test structure.
<?php // RAY_mysql_CREATE_TEMPORARY_TABLE.php
error_reporting(E_ALL);
echo "<pre>";
// CONNECTION AND SELECTION VARIABLES FOR THE DATABASE
$db_host = "localhost"; // PROBABLY THIS IS OK
$db_name = "??"; // GET THESE FROM YOUR HOSTING COMPANY
$db_user = "??";
$db_word = "??";
// LIVE DATABASE CREDENTIALS ABOVE WEB ROOT
require_once('../db_info.php');
// OPEN A CONNECTION TO THE DATA BASE SERVER
// MAN PAGE: http://php.net/manual/en/function.mysql-connect.php
if (!$db_connection = mysql_connect("$db_host", "$db_user", "$db_word"))
{
$errmsg = mysql_errno() . ' ' . mysql_error();
echo "<br/>NO DB CONNECTION: ";
echo "<br/> $errmsg <br/>";
}
// SELECT THE MYSQL DATA BASE
// MAN PAGE: http://php.net/manual/en/function.mysql-select-db.php
if (!$db_sel = mysql_select_db($db_name, $db_connection))
{
$errmsg = mysql_errno() . ' ' . mysql_error();
echo "<br/>NO DB SELECTION: ";
echo "<br/> $errmsg <br/>";
die('NO DATA BASE');
}
// IF WE GOT THIS FAR WE CAN DO QUERIES
// REMOVE THE VARIABLES THAT HOLD THE CREDENTIALS
unset($db_host, $db_name, $db_user, $db_word);
// PROVE THEY ARE NOT THERE ANY MORE
var_dump($db_host, $db_name, $db_user, $db_word);
// CREATING A TABLE
$sql = "CREATE TEMPORARY TABLE my_table (
_key INT NOT NULL AUTO_INCREMENT,
name VARCHAR(24) NOT NULL DEFAULT '',
PRIMARY KEY(_key) )";
$res = mysql_query($sql);
// IF mysql_query() RETURNS FALSE, GET THE ERROR REASONS
if (!$res)
{
$errmsg = mysql_errno() . ' ' . mysql_error();
echo "<br/>QUERY FAIL: ";
echo "<br/>$sql <br/>";
die($errmsg);
}
// ESCAPING A DATA FIELD FOR USE IN MYSQL QUERIES
// MAN PAGE: http://php.net/manual/en/function.mysql-real-escape-string.php
// CREATE AN ARRAY OF NAMES
$names[] = mysql_real_escape_string("Williams");
$names[] = mysql_real_escape_string("Paseur");
$names[] = mysql_real_escape_string("O'Reilly");
$names[] = mysql_real_escape_string("Paseur");
$names[] = mysql_real_escape_string("Paseur");
// MAKING AN INSERT QUERY, USING THE ESCAPED STRINGS AND TESTING THE RESULTS
foreach ($names as $name)
{
$sql = "INSERT INTO my_table ( name ) VALUES ( '$name' )";
$res = mysql_query($sql);
// IF mysql_query() RETURNS FALSE, GET THE ERROR REASONS
if (!$res)
{
$errmsg = mysql_errno() . ' ' . mysql_error();
echo "<br/>QUERY FAIL: ";
echo "<br/>$sql <br/>";
die($errmsg);
}
} // IF WE GET THIS FAR, THE INSERT QUERIES ALL SUCCEEDED
// GET THE AUTO_INCREMENT ID OF THE LAST RECORD WE INSERTED
// MAN PAGE: http://php.net/manual/en/function.mysql-insert-id.php
$_key = mysql_insert_id($db_connection);
echo PHP_EOL . "LAST KEY: $_key AND NAME WITH ESCAPE STRING INCLUDED: $name";
echo PHP_EOL;
// MAKING A SELECT QUERY AND TESTING THE RESULTS
$sql = "SELECT * FROM my_table ORDER BY name ASC";
$res = mysql_query($sql);
// IF mysql_query() RETURNS FALSE, GET THE ERROR REASONS
if (!$res)
{
$errmsg = mysql_errno() . ' ' . mysql_error();
echo "<br/>QUERY FAIL: ";
echo "<br/>$sql <br/>";
die($errmsg);
} // IF WE GET THIS FAR, THE QUERY SUCCEEDED AND WE HAVE A RESOURCE-ID IN $res SO WE CAN NOW USE $res IN OTHER MYSQL FUNCTIONS
// ITERATE OVER THE RESULTS SET TO SHOW WHAT WE SELECTED
while ($row = mysql_fetch_assoc($res))
{
var_dump($row);
}
ASKER
Thanks Ray_Paseur!
I ran a quick test of unsetting the values and the object remains usable for querying. For my purposes keeping a live connection resource for the life of the object is not problem but I expect it may become one for high volume/traffic sites. So viewers of this solution may want to explore that side of the solution further.
Thank you!
I ran a quick test of unsetting the values and the object remains usable for querying. For my purposes keeping a live connection resource for the life of the object is not problem but I expect it may become one for high volume/traffic sites. So viewers of this solution may want to explore that side of the solution further.
Thank you!
I think you might be able to unset the values inside the object. There was no object in my test, but if you consider the variable scope both outside and inside the object, you will see that there are two copies of the variable. Both copies would need to be nullified.
Thanks for the points, and thanks for using EE, ~Ray
Thanks for the points, and thanks for using EE, ~Ray
PHP
PHP is a widely-used server-side scripting language especially suited for web development, powering tens of millions of sites from Facebook to personal WordPress blogs. PHP is often paired with the MySQL relational database, but includes support for most other mainstream databases. By utilizing different Server APIs, PHP can work on many different web servers as a server-side scripting language.
125K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
Let's go with the assumption that one doesn't allow access to the server beyond any uploads that a cms or web application allows (pics, media files, etc) that would be placed in a folder on the server. My skill set in the area of security is pretty weak so I always work under the assumption that any server can be accessed by someone that is skilled enough. I'm confident in the overall security of my hosting provider so I'm asking more in a "what if, possibly, someday..." way.
If I store the values in a config file that is placed outside of the public server folders and called by the script, the values become accessible to a var_dump of the class once they are called and used by the class, correct?
But if I understand you correctly, I may be able to unset those properties after a connection is made to the database and that connection is stored as a property of the class object? Using the $wpdb object from the initial example:
$wpdb->dbh holds the connection resource and now the $wpdb object no longer needs to store the credentials used to create the connection and they can be unset after a simple test of the $wpdb->dbh property returns true?
Thank you.