Set up PDO connection without password

Question

I'm trying to connect to my database, but I changed my database's root password in the interest of security. However, in order to connect to the database and use PDO, I apparently have to pass my password in the php, which obviously is not good for security:

$hsdbc = new PDO('mysql:dbname=hs database;host=127.0.0.1;charset=utf8', 'root','passwordgoeshere');

$hsdbc->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$hsdbc->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

Am I being stupid and that because it's PHP no-one but the person who views the actual file will be able to see the password, or is there some way to do it without passing the password in the file.

Answer 1

Yes it seems insecure at first, but once you get the hang of it and know how to manage your files to minimize potential security breaches, you can minimize the risks associated with having passwords stored in plain text in potentially publicly exposed spaces. Yet AFAIK PDO doesn't even let you form a connection without supplying a password. The solutions are a combination of what everyone has said and then some. Here's my quick guide for what I do.

Separate SQL users for separate purposes (minimizes damage from SQL injection or hacked accounts):

There should be a PHP-specific user for each table you need to access. That user will be granted only enough rights to handle as much of that table that he needs to, if it doesn't need to delete then don't grant it delete. If it doesn't need to select then don't grant it select. It seems fussy but very quickly you'll have a copy-paste template to make the users, give them the right(s) they need, and document it. If there's a joined table, you'll want to also grant the user access to that table also, naturally.

-- a single user account for a specific purpose:
CREATE USER 'usermanager'@'localhost' IDENTIFIED BY '5765FDJk545j4kl3';
-- You might not want to give access to all three here:
GRANT SELECT, UPDATE, INSERT ON db.users to 'usermanager'@'localhost';

The purpose of this is so that if you have a bug in your code that lets people SQL inject, they won't be able to cause any harm beyond the scope of what that role can do.

Stupid mistake can reveal PHP code and files if left in-directory, move them out:

Never mind revealing the source code, even just trying to access php files "out of order" can be destructive.

Move as many files to an out-of-scope directory as possible. Then call them like so:

require_once('../lib/sql_connectors.php');

This should escape your html / webdir and you should hopefully be able to store all sorts of fun stuff outside the scope of what a stupid admin mistake could reveal.

You can even have a php file that gets pictures and videos from outside your webdir, that's how streaming sites protect their resources and also conduct php-based authentication to file access. To learn how to do that you'll want to look up assigning your own etag headers to make sure browsers cache your php-retrieved files otherwise you'll have a very busy server, here's a short introduction.

Block wrongful access to PHP that are left in-directory:

All of your in-directory PHP files can be protected by checking that the $_SERVER['REQUEST_URI'] isn't itself. If it is, you can have a function called show404() that loads the 404.php page and dies there or just directly call your 404.php with an include. That way, even if you have hackers trying to brute force your php files they'll never see them because they'll get 404 errors (fools the bots) and they'll see the 404 page (fools the humans).

I avoid using .php in any publicly visible paths, to do that, I make rewrite rules in my .htaccess files that look like this:

RewriteEngine On
RewriteRule ^login$ login.php [L,QSA]

The L makes it stop running other rules.

The QSA preserves the $_GET tags.

The first lines of code for every file (consider prepending) could be:

// they should be connecting via a redirect, not directly:
$fileName = basename(__FILE__);
if ($_SERVER['REQUEST_URI'] === '/' . $fileName) {
    error_log('Security Warning: [' . $_SERVER['REMOTE_ADDR'] . '] might be trying to scrape for PHP code. URI: [' . $_SERVER['REQUEST_URI'] . ']');
    include('404.php'); // should point to your 404 ErrorDocument
    exit();
}
// redirect to actual file
include('../hidden/php/' . $fileName); 

In this example, assuming you have the redirect in your .htaccess, a login.php with the code above, and a login.php in your hidden directory, the user would experience the following two scenarios: attempt to connect to '/login' and see the hidden '/login.php' page; attempt to connect to the visible '/login.php' directly and get a 404 error.

---

Those are the 3 big things, lots of small limited accounts to minimize damage in case of security failure, keep all possible files outside the web directory, and make all in-directory php files produce an error letting only non-php links access them.

Answer 2

I have seen websites that expose PHP code, when the Apache type handler for PHP becomes unconfigured by accident. Then the code in .php files is displayed instead of executed. There's also an Apache type handler to display PHP source deliberately, though this is not usually configured.

To avoid this vulnerability, it's a good practice to put your sensitive PHP code outside your htdocs directory. Instead, put in your htdocs directory a minimal PHP script that loads the rest of the code using include() or require().

An alternative is to put your MySQL credentials in a config file instead of PHP code at all. For example, the file format used by /etc/my.cnf and $HOME/.my.cnf is readable by the PHP function parse_ini_file(). It's easy to store your MySQL password outside of your code this way.

For example, read user and password from the [mysql] or [client] sections of /etc/my.cnf:

$ini = parse_ini_file("/etc/my.cnf", true);

if (array_key_exists("mysql", $ini)) {
    $connect_opts = array_merge($connect_opts, $ini["mysql"]);
} else if (array_key_exists("client", $ini)) {
    $connect_opts = array_merge($connect_opts, $ini["client"]);
}

$pdo = new PDO($dsn, $connect_opts["user"], $connect_opts["password"]);

Answer 3

Going to extend SupSon (SC2 Select fan?)'s answer:

PHP itself is server coded language.

There are only 3 ways (maybe more if someone want to add to it) that code can be shown to an outside user:

1. By having an unsecure .htaccess file that shows php file as text file (then you should move servers at that point because normally this doesn't happen)
2. Somehow your operating on debug mode and something in your page triggers this mode and you get a whole bunch of PHP code gets shown
3. FTP/SSH access to your .php file (then you have more than a PDO problem in your hands)

So if one of these cases is happening, coding into a .php file your username/password won't be a breach in security.

Answer 4

Generally speaking it's not bad practice to have connection strings in files that are not user facing. If you don't want to have your personal password in the php file, then you can create a new mysql user for php.

You can also restrict the user's IP address in MySQL to the server hosting your php scripts. This way if a nefarious person browsing the web somehow was able to see the database password, they would have more difficulty accessing it.

Answer 5

People are not able to just go and read into your files. They should be safe on the place where you host it. They are only able to get into to files if they are able to get into the place when you host your stuff. Which should not be possible if they don't have the info to get there.(which should only be known to you).

This is not just for PDO. but also my mysql and mysqli to do it like this