5

First off, if there is an exact duplicate - I didn't find any so I apologize in case the answer was already provided.

I'll present the problem I'm facing, hoping I'll get some insight or a straightforward "not possible" answer.

How to secure database credentials in a web application in case the server where PHP is gets compromised? Assume that in this problem's case we are not talking about shared hosting, VPS or anything alike, there's only one person who has access to the box that stores MySQL information.

MySQL server itself is located at another (remote) box and allows connections from only a range of IP addresses (bound to the PHP box).

How to ensure that malicious user will not be able to obtain the details needed for connection string for MySQL? Assume that the user has broken the root login of the linux box running PHP.

What steps would you take towards providing highest security in terms of accessing information needed to establish MySQL connection in such a case?

Thank you for reading and commenting in advance.

Furicane
  • 1,175
  • 6
  • 18
  • This topic has been covered already here - http://stackoverflow.com/questions/3710511/best-way-to-connect-to-mysql-with-php-securely – hafichuk Nov 01 '11 at 03:45
  • @hafichuk - link provided suggests certain parts of securing the access, with the best answer being encrypting the file with the password. However, if someone's a root - nothing stops them from modifying the PHP code and echoing the credentials. I am wondering if someone has a better method of establishing the communication between app server and db server such as public key encryption or similar where the db server is involved into negotiating first before allowing for the connection. – Furicane Nov 01 '11 at 03:52

2 Answers2

2

The best solution here, if this is a main priority, would be to use stored procedures.

Stored procedures store the database queries inside the database, therefore just set them up, and then create a new MYSQL user with just stored procedure execution permissions. That way even if the application code was compromised they would only be able to manipulate a limited subset of your data, and they also gain no knowledge of the underlying database structure.

The negatives to this approach are maintainability, due to the fact your mixing application logic with your storage system, and it might not be portable across platforms.

If you want a simple solution, what hafichuk suggested might be better, just customize it to fit your needs. Unfortunately your script needs to be able to access the database, unless your web server and application server were on separate machines and communicated over some encrypted channel such as SSH, but then your just getting too complicated. It all depends how important protection really is to you, and how far your willing to go to ensure it.

Marc DiMillo
  • 512
  • 5
  • 17
1

Unfortunately, the PHP code will have the username and password of your mysql system in plaintext. My suggestion is that you restrict the privileges of that database user (you are using a database user other than root I hope).

See http://dev.mysql.com/doc/refman/5.5/en/adding-users.html. If you're using phpmyadmin or some other UI, then you can restrict the users privileges that way.

Basically, you typically want to only grant SELECT, UPDATE, INSERT and DELETE to the mysql user, unless your app needs other privileges.

Beyond that, hopefully someone else can offer a better solution.

hafichuk
  • 9,581
  • 10
  • 34
  • 53
  • Thanks for the answer, but the goal is to restrict the user from having either a hard time or no ability to access the database. Even reading from the db is considered as a breach, so the level of breach is the same as if someone deleted or dropped the whole dataset. – Furicane Nov 01 '11 at 03:43