How to think about security of mysql login and password data in PHP?

M

Maxim Ivanov2016-03-22 17:54:45

PHP

Maxim Ivanov, 2016-03-22 17:54:45

For example, WordPress stores connection data to the mysql server directly in index.php (in order not to mess with the files, I think they are separate), but still. We can write a plugin that, for example, reads the contents of the index.php file and sends a report directly to another server. It's like a virus we have.
But then how do you store the data? In frameworks, it’s done this way, we can store a separate php file, but we still have access to reading directories, then what’s the point if there is some kind of php script that can read our files, etc.. That is, if index.php connects into itself virus.php, which reads directories and reads files, it is also executed on behalf of index.php, that is, the main file

Explain what you need to do to protect yourself with access to mysql data?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

Y

Yuri, 2016-03-22
@splincodewd

it is easy to get rid of the problem you indicated - configure mysql so that there is no access from the outside, only localhost + your ip. then those who receive passwords from the database will still not be able to use them.
but in general the problem starts when you install the php module and you don't know how reliable it is.
if the script is launched, then in any case it can use the ready-made connection and download the necessary data and send the ready-made ones to the right place.

M

Maxim Ivanov, 2016-03-22
@splincodewd

So what is the best thing to do? No replies to comments