0

I have a web form for installing an application where users submit there sql credentials and server etc. I want to take that data and write it out to a config.php like:

$_MYSQL['server'] = '';
$_MYSQL['username'] = '';
$_MYSQL['password'] = '';
$_MYSQL['database'] = '';

on the fly based on what they submitted to be included in other files later. Problem is I don't want to write user submitted data out to a php file, that is obviously insecure. How can I do this safely?

Improve this question
7
  • "Problem is I don't want to write user submitted data out to a php file" how would you do it then ? a config.php is the solution, no one can see your mysql config from a public URL. Commented Aug 25, 2010 at 9:51
  • What is insecure here? Aren't this user an admin already? Commented Aug 25, 2010 at 9:52
  • yeah but in the case that the file remains on a server and is accessible to someone else I don't want people being able to arbitrarily write code to a php file. Commented Aug 25, 2010 at 9:55
  • youssef: i mean I dont want to write the data out to the php file without checking it and making sure its safe first. Commented Aug 25, 2010 at 9:56
  • but you should delete or lock an installation file anyway! Or that "someone" would mess whole site even without any code injection! Commented Aug 25, 2010 at 10:01

3 Answers 3

Reset to default
1

http://php.net/var_export

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

var_export is for output a "parseable string", that is not the "clean" way to store variables (just my opinion) ;)
by design, code produced by var_export is for evaling it, so not really secure, serialize is by design for a storage of variable's states, thats why i consider it as not "clean" method
@Dariusz err, pal, you misunderstood me. You were asked for the real life example, not some theoretical insinuations based on lack if knowledge and wrong assumptions.
@Col. Shrapnel, i understand Yours point, and question quite good, and i'm aware of that my assumptions actually may by wrong, dont have a real life example if i'll have one, will post it for You. But it's just my opinion, i'm considering "not some theoretical insinuations based on lack if knowledge and wrong assumptions" as an offense... this is going offtopic, stop flame make a peace :)
@Dariusz I am really sorry of this has been taken as offense but actually it's a fact. There is nothing wrong with tis function, it's already escaping everything. Not for seuruty but for obvious consistency reasons. Noone need a function which will fail on simple ' or $ character.
|
0

You have to escape the user input, and store data as a serialized version or array ( serialize ) this will give You a good starting point for makeing this in a secure way

i know that question is about a creation of bare php file, but serialization will be more secure and easy to use way

cheers

Improve this answer

5 Comments

would it not be safe to just strip out single quotes because the data will be placed in between single quotes when written to the file?
i consider You'll have this data from form, and it will not be used as params for query, just as login credentials, so i think even escaping quotes in that way is not necessary (what if user's db password contain quotes? )
no but what if someone submits a username like ';phpinfo();$x=' ...then we have php code written to config.php
that is just a string, serialize will handle that, You have to eval that string to make it dangerous :)
and less secure. simple request will reveal credentials to the user
0

Plenty of well-known pieces of software auto-generate their config files in this way. So long as you remove unwanted characters from the string, and perform proper validation on the form input, you should be just fine.

In this particular instance, a simple way to check that the MySQL credentials are safe would be to simply try connecting to the server with the details prior to writing them to the config file.

Additionally, as previously mentioned, installation scripts should be locked down anyway and only open to trusted users in the first place!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.