Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>No. If someone can get your files or run programs it's game over:</p> <ol> <li>If your web directory is writable, I can simply add a line <code>echo $decrypted;</code> above that <code>mysql_connect()</code> and get the password.</li> <li>I can copy your files down and edit them there.</li> </ol> <p>Security is a process that you go through, not some library you can link into your program.</p> <ul> <li><p>You should store the configuration in the <a href="http://php.net/manual/en/mysql.configuration.php" rel="nofollow">php.ini</a> file so that your program need only <code>mysql_connect()</code> (with no arguments). This is a good idea because it may be easier for an attacker to convince your system to print out source code and web-accessible files than print arbitrary fiels on your system.</p></li> <li><p>On Unixish systems like OSX and Linux, you should make sure you're using unix domain sockets which do not expose your MySQL server to the Internet; someone cannot connect to your MySQL server if it is not on the Internet. This provides some further protection against the "get your files" attack.</p></li> <li><p>Take care to not permit your web users to create php files (or anything else executable). This provides some protection against the "run programs" attack, </p></li> <li><p>If I can upload/edit your files, I can do anything they can do, so you should also be careful about your <code>GRANT</code> statements that you put in your MySQL server: If only the administrator needs to do certain <code>INSERT</code> or <code>DELETE</code> to certain tables, consider running the admin scripts as a separate web-user with separate rights. If your scripts cannot delete all your data, then I as an attacker cannot either.</p></li> </ul>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload