LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-29-2011, 10:14 AM   #1
OtagoHarbour
Member
 
Registered: Oct 2011
Posts: 323

Rep: Reputation: 3
Password Required for PHP MySQL Call with LAMP


I have installed LAMP on Ubuntu 11.10. When I make the following call from a PHP file

Code:
$con = mysql_connect("localhost","peter","");
I get the following error message.

Quote:
Could not connect: Access denied for user 'peter'@'localhost' (using password: NO)
I am presuming that this is fixable by adding a password to the call but I am planning to run this over the Internet and do not want hackers to be able to get my database password by reading, or reverse engineering, my PHP file.

I would be grateful if someone could advise me on the best, most secure, solution for this.

Many thanks in advance,
Peter.
 
Old 10-29-2011, 10:24 AM   #2
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
I couldn't think of something else right now,
but make the password for your user and then on the server limit the connection to MySQL port 3306 with MySQL grant,
to allow only your IP to connect to this port/database.

Some MySQL remote connection example MySQL can not connect to server.
You could also limit your IP and port 3306 with IPTABLES.

Last edited by lithos; 10-29-2011 at 10:25 AM.
 
1 members found this post helpful.
Old 10-31-2011, 08:49 AM   #3
OtagoHarbour
Member
 
Registered: Oct 2011
Posts: 323

Original Poster
Rep: Reputation: 3
Quote:
Originally Posted by lithos View Post
I couldn't think of something else right now,
but make the password for your user and then on the server limit the connection to MySQL port 3306 with MySQL grant,
to allow only your IP to connect to this port/database.

Some MySQL remote connection example MySQL can not connect to server.
You could also limit your IP and port 3306 with IPTABLES.
Thanks very much for your reply. I think I did as you suggested using tip 1 here. Should that work?

Thanks,
Peter
 
Old 11-01-2011, 05:34 PM   #4
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
Hi,

sorry for late reply, but this:
Code:
(root)/> iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
(root)/> iptables -A INPUT -p tcp --dport 3306 -j DROP
has only blocked the access to your MySQL server.

You need to allow the access to port 3306 on your server from the IP address you are connecting
like:
Code:
iptables -A INPUT -s 123.456.123.123 -p tcp --dport 3306 -j ACCEPT
allowing the IP 123.456.123.123 to access the MysQL port 3306.

so the whole iptables rule would have to have the right order:
Code:
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 123.456.123.123 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
meaning:
line 1 and 2 allow access to port 3306
then 3rd line block any other IP to access 3306 (what doesn't match the IP's, then its rejected).
 
Old 11-02-2011, 07:47 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Quote:
do not want hackers to be able to get my database password by reading, or reverse engineering, my PHP file.
The remote public should NOT have access to your PHP file directly. Part of the Apache+PHP process is to ensure that the PHP is ALWAYS interpreted and converted into plain HML. This is why it is important for your files to be labeled with an extension such as .php or .inc which is never meant to be displayed without interpretation. If an intruder were to gain a command shell on your system, they would be able to read all of the files that had permission set for Others, which likely includes your web code. However, if they do get a command shell, reading your PHP to obtain your database password will not be their, or your top concern.
 
Old 11-02-2011, 09:28 PM   #6
OtagoHarbour
Member
 
Registered: Oct 2011
Posts: 323

Original Poster
Rep: Reputation: 3
Quote:
Originally Posted by lithos View Post
Hi,

sorry for late reply, but this:
Code:
(root)/> iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
(root)/> iptables -A INPUT -p tcp --dport 3306 -j DROP
has only blocked the access to your MySQL server.

You need to allow the access to port 3306 on your server from the IP address you are connecting
like:
Code:
iptables -A INPUT -s 123.456.123.123 -p tcp --dport 3306 -j ACCEPT
allowing the IP 123.456.123.123 to access the MysQL port 3306.

so the whole iptables rule would have to have the right order:
Code:
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 123.456.123.123 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
meaning:
line 1 and 2 allow access to port 3306
then 3rd line block any other IP to access 3306 (what doesn't match the IP's, then its rejected).
I'm not sure I understand. Should I give additional access to an IP address on the Internet? It is only the php files that are supposed to access the MySQL database. They are on the local machine. The external user provides information to the php files through forms. I actually have two servers: a web server and an application server. The web server is connected to the Internet while the application server should only be connected to the web server. The application has the database and virtually all the php files. Did I understand your reasons for
Code:
iptables -A INPUT -s 123.456.123.123 -p tcp --dport 3306 -j ACCEPT
Thanks,
Peter.
 
Old 11-02-2011, 09:35 PM   #7
OtagoHarbour
Member
 
Registered: Oct 2011
Posts: 323

Original Poster
Rep: Reputation: 3
Quote:
Originally Posted by Noway2 View Post
The remote public should NOT have access to your PHP file directly. Part of the Apache+PHP process is to ensure that the PHP is ALWAYS interpreted and converted into plain HML. This is why it is important for your files to be labeled with an extension such as .php or .inc which is never meant to be displayed without interpretation. If an intruder were to gain a command shell on your system, they would be able to read all of the files that had permission set for Others, which likely includes your web code. However, if they do get a command shell, reading your PHP to obtain your database password will not be their, or your top concern.
I have changed all of my .html files to have .php extensions. But if they are straight html would they not be displayed as such? The user name and password is in the php code. Should it be protected?

Thanks,
Peter.
 
Old 11-03-2011, 08:20 AM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
The PHP interpreter will pass the html code as long as it is not within the php declaration delimiters. Any code that is within the delimeters will not be passed directly out, but instead will be interpreted and output will converted into HTML. All of the other internal code that does not consist of print or echo output, such as your database connect statement will not be visible to the public. Similarly, connect statements are not valid HTML and should throw an exception if passed to a browser. This is also part of the reason you want to be careful about your alert level in PHP as it can give away information.

To prove the concept to yourself, run this simple php script.
Code:
<?php
for ($index = 1; $index <= 10; $index++)
{
print "This is line $index<br />\n";
}
?>
If you run this code in a browser, you will get HTML output, but the code of the for loop will not be present. When configured properly, your browser should NOT dump any code that is in a PHP block directly to the user.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LAMP installation with apache(2.2 or above),php(5.1.4 or above)),mysql(4 or above) mobquest Linux - Newbie 2 08-31-2009 12:01 AM
lamp linux apache mysql php not installed yuganrrhce Linux - Newbie 6 01-07-2009 07:10 AM
lamp setup question about php extension for mysql rlee923 Linux - Software 7 04-01-2007 11:13 PM
connecting PHP to MySQL in a LAMP server rickyglucas_143 Linux - Newbie 2 02-06-2006 04:02 AM
LAMP(Linux, Apache, MySQL, PHP) Problem gamehack Slackware 7 08-17-2004 02:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration