Safety Of A Php Script

[nachtegaal9999]

Hai,I am a newbee and had a discussion with somebody who told me that xxx.php files couldbe read out or copied for the code in that file. He couldn't tel me how, so i want to verify this, by specialists.The reason why i want to know this, is that i use passwords in my xxx.php file to acces my msql database.I thought always that it was save!!!Could somebody tell me if it isn't secure and why ?Thanks in advance.Simon

[Distortion]

voor zover ik weet kan dat niet.As far as I know it isn't possible, or atleast not easy to access a php script. I've been told though that 'addslashes' give more security. But noone ever tells why, so please give some extra information about this

[AElliott]

nachtegaal9999:You can't inherently access the unprocessed PHP source of a document without some form of authentication (i.e. going through a control panel's file manager, FTP, SFTP, SSH etc). So exposing files like <?php $password = 'foobar'; ?> via Apache HTTPd is perfectly safe in most situations provided mod_php is parsing the file. You can have situations where a poorly written web application allows a malicious user to gain access to the local filesystem and thus the file contents, but that's a mistake you would have to make - there's definitely no problem with PHP itself like you describe.Distortion:You are perhaps talking about sanitisation of user input, probably in a database context. In which case you should be using database specific sanitisation methods rather than addslashes (for example, the stock mysql driver provides mysql_real_escape_string which is superior to addslashes for keeping user input in queries safe). You can also use PHP database drivers that provide variable binding when building queries since these will often handle the sanitisation of input automatically.The idea of using methods like these in database queries is that it prevents users from injecting malicious SQL to your database.

[chibineku]

As far as I am aware it isn't possible to view PHP source unless there is an error on the page. It is possible to create errors if you know that appropriate error handling isn't in place, but the worst you'd get is someone seeing the format of a database query or something - one line max. You need to add and strip slashes so that if someone enters code into a form field and you display that code later, it won't contain code that will actually run. For example, imagine I entered in a form field:<p>Ha, dumbass!</p>If you store that as is and then try to output my name as that string, it will render as valid HTML and ruin someone's page. That's just a stupid phreaking example, but you can avoid it by using a built in function like htmlspecialchars. Okay, so that doesn't really explain the slashes. Some characters like quotes are needed for making database queries and if someone had an idea to say display all records in your database table, they could fill in a form fieldbob AND 1=1"Imagine that I saved that as my username. When you next go to display my username, your query might look like:"SELECT * FROM `users` WHERE username = bob AND 1=1"That would select all records, because 1 always equals 1. There are far more ingenious uses, and better explanations, if you database query injection.

[jlhaslip]

Keeping the database connection information and the passwords in a php is 'generally' a safe thing, however, to add some more security, use a configuration file that is not directly web-accessible and 'include' it in your script will add another level of security.

[Distortion]

Thank you chibineku that was exactly what I wanted to know. And thanks for the search term, I will not have to bother you with further questions about this.

Edited October 25, 2009 by Distortion