Is it a security risk for your php database data to be accessed through a browser?

I just had an argument with a colleague. My index.php contains my mysql connection as well as hostname, username, password and database. He claims this is a safety thread as there is a possibility that the php parser could fail, causing the web server to return the entire file in plain text. However, I believe that if the php parser fails, the web server will present the users with an internal server error.

Can anyone confirm if this is or is not a security risk?



source to share

5 answers

The short answer is no.

The long answer is yes, but only if:

  • your server has been hacked, in which case people reading your php files are the least of your worries.
  • you misconfigured your server to parse .php files and plain text, which would be very silly.

Also, if you are using some kind of version control software, make sure your .hg or .svn or any other folders cannot be viewed from a web browser. You will be surprised how often this happens.


I would tend to go with some of the suggestions here already, which is what I do in my day-to-day development. Have a config.php file outside of your website root folder and include it in your index.php. This way you know for sure that it will never be viewable. By the way, I have been developing in PHP for several years and have never tolerated the parser in a way that resulted in the raw PHP being displayed to the end user.


If your colleague cites parsing errors when he says the PHP parser is "not working" and then in a live environment, you should still turn off error reporting.



Any result is possible. The usual course of action is to use require

to add a separate file containing your db credentials. This file must be outside of the web server's file tree, so it cannot be reached through a browser.



I am convinced that you can never be too safe. Which is easier, replacing thousands, perhaps millions of entries, if a hacker gets your dB information, a security breach that you will need to explain to your users (and possibly their lawyers depending on the content and violation) or put your information in a separate password protected folder and including information on pages that you need to connect?

For me, the choice is simple.



Your colleague is correct, but this is unlikely to happen. The .php file will only be returned as plain text, or as download if PHP stalled on the host.

To be more secure, use the include () path to the database credentials in the new folder. In this folder there is a .htaccess file with "deny from all".

This way, even if PHP stops working on the server, Apache will still work and secure all files, including the database credentials. Even if apache stops working, the entire web server will be down and your credentials will still be secure.




Personally, I would put parameters in a config file outside of the web tree and, after uploading, remove FTP access from that directory. It's not just a matter of whether the PHP parser crashes and pushes the file as plain text, but if there is a vulnerability on the FTP server that has compromised that file, it is possible to access both FTP and HTTP.

As long as Apache / PHP is running as a separate FTP user, you can still require

create a config file from PHP.



All Articles