I am working towards an atmosphere where multiple websites uses the exact same copy of PHP though using their own cases of MySQL databases. This clearly suggests connection qualifications for every website, the greater customers the greater passwords and then the more inviting a target for cyber-terrorist. Simply to make certain everybody is on a single page fundamental essentials qualifications I am speaking about...
$user = 'user';// not actual user, not root either $pass = 'pass';// not actual password $server = 'localhost'; $database = mysql_connect($server,$user,$pass,true|false);
So I am speaking concerning the passwords accustomed to connect towards the database, not the passwords within the database (which for clarification I've hashed with pepper and salt).
I haven't read something that I believe remotely indicates you could have 100% foolproof security since clearly the server must connect with the database and obtain this content for site visitors 24/7 should i be mistaken I would like to hear how this is possible.
So let us presume a hacker has root access (or maybe that doesn't imply accessibility PHP code let us just say then get access to all of the PHP source code) plus they (within this circumstance) need to access/modify/etc databases. If we're not able to prevent them whenever they have the PHP source then you want to slow them lower whenever possible. I'm able to keep each site/database connection password in separate files (can as with I am a couple of days from finishing multi-domain support) for every site and never within public_html (clearly). I personally use serialize and unserialize to keep certain variables to make sure certain degree of fault tolerance when ever the database becomes not available on hosting that is shared (stopping site A from searching and acting like site B and vice-versa) because the database can occasionally become not available numerous occasions each day (my database error logs are written to once the SQL service opens up again and catches these "away" errors). One believed that has entered my thoughts is identifying a method to keep passwords in a single hash and not-hashing them for use for connecting towards the database by PHP though I would like some opinions relating to this too please.
If a person includes a suggestion in the database perspective (e.g. getting a chance to restrict customers to Choose, Place, Remove, UPDATE, etc and never permitting DROP and TRUNCATE as good examples) initially my problem is ensuring I'm SQL neutral when i intend to eventually migrate from MySQL to PostgreSQL (this might be relevant though if it's easier to bring it up). I presently use phpMyAdmin and cPanel and phpMyAdmin shows the connected user is different then the site's database user names so for the reason that regard I'm able to still use certain instructions (DROP and TRUNCATE as good examples again) with this user and restrict the website user permissions unless of course I'm mistaken for whatever reason?
It is possible to method to configure the context of in which the connection qualifications are recognized? For clarification a hacker with accessibility source code wouldn't be being able to access the website exactly the same way legitimate customers would.
Also try this that entered my thoughts is system based file encryption, it is possible to near-universal (as with on every or nearly every Light hosting company setup) web-hosting technique in which the system can seeOrcreate the file through Apache that will introduce a brand new layer that the hacker would need to determine a method to circumvent?
I'm using different passwords for every user obviously.
I presently am on hosting that is shared though hopefully my setup will scale upwards to devoted hosting eventually.
What exactly would be the ideas on my small security concepts and the other concepts could I attempt to make my database connection qualifications safer?
Clarification: I'm searching for ideas will be able to pursue. If there's disagreement with the suggestions please request for clarification and explain your concern instead of discussing confirmed approach when i might have even considered not to mention started to pursue confirmed concept. Thanks!
There's little to become acquired from attempting to decelerate an burglar that already has root use of the body. Even when you have the ability to hide the qualifications good enough to discourage them, they have use of the body and may wreak havoc inside a million ways including modifying the code to complete anything they wish.
Your best choice is to pay attention to stopping the baddies from ever penetrating your outer protection, be worried about the relaxation only after you have ensured you probably did all you can to ensure that they're in the gates.
With that said, restricting database user accounts to simply a particular subset of rights is certainly not necessarily a bad factor to complete in case your architecture enables it.