Passwords In PHP Code
You could have a site/app that scores A+ on SSL checker, have the best http security headers, use the best WAF and have full marks from an external penetration test but there are a few things that could still come back to haunt you that may have been overlooked – one of these could be how you store passwords in your PHP code.
There may be places in your code where you store configuration settings or usernames/passwords for thing like MySQL or APIs. Something like a connection to the database is fairly fundamental to most web applications, as such it was probably the first thing coded and it’s unlikely that it has ever been looked at since.
File Location
Ensuring the file(s) password and configuration settings are stored in is outside of a web servable directory is very important. You can never rely on the fact that PHP files will always be parsed correctly in the future, this could get broken by some kind of buffer overflow vulnerability or simply misconfiguration during an upgrade, this would leak your secret passwords to the world.
Try, Catch and Display Errors
If the database isn’t available when you attempt to open a connection PHP will generate an error that will be displayed on screen by default, this error will contain the credentials in plain text for anyone to see. This could be exploited by someone overloading the application with requests to hit the database max connections limit causing this error will be thrown.
It’s a good idea to make sure display_errors is turned off for any production machine, this can be done in the php.ini.
In addition to this it’s a good idea when opening a database connection or connecting to external services to wrap the connection in a try/catch so that you control how the error is dealt with rather than relying on how PHP is configured.
Example below:
<?php
try {
$dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
} catch (PDOException $e) {
# Add any custom logging or alerting code here
die();
}
?>
