PHP - Consider PHP string as inbuilt php function

0
votes

I am using php to connect to oracle database, php function to connect to oracle database is

oci_connect("user","password","database");

to make connection string more secure, i store connection string in php string variable and i have encrypted whole php string using openssl_encrypt method aes-128-cbc.

at the run time i am decrypting my encrypted string, encryption and decryption part is working ok, when i am decrypting string at run time i am getting proper decrypted value

$dec_conn_string = openssl_decrypt($encrypted_conn_string,"aes-128-cbc", $keys, $options=0, $iv);

so it is like

$dec_conn_string = oci_connect("user","password","database");

but $dec_conn_string is not having expected value e.g FALSE or connection identifier and connection to database is not happening, when i echo php variable $dec_conn_string it displays oci_connect("user","password","database").

2
phporacleencryption
How is that more secure? You'd have to have the password for the encryption in PHP code as well... additionally, a string is not code, you'd have to eval() it to execute the code in a string. This is a bad application design, you shouldn't do it like this.Lars Stegelitz
You may want to consider stackoverflow.com/questions/97984/… instead.Nigel Ren
@LarsStegelitz dont want to use eval as it is dangerous, my server is in vault, but i dont want to use plain connection string, as it is finding in secure code review auditUtsav Patel
You can't encrypt the whole code line! You may ONLY encrypt the individual parameters of the function call..Lars Stegelitz
After you've encrypted code part with some function it is not a code anymore, but string variable. You need to decrypt it and eval() to run that code. But as was said it is a bad design, use proper documented security, consider connection using Oracle Walletastentx

2 Answers

0
votes

You could use either an environment variable:

$c = oci_connect('hr', $_ENV['HRPASSWORD'], 'localhost/XE');

Or preferably you could use 'external authentication' such a wallet (as mentioned in comments) or other authentication system.

$c = oci_connect("/", "", "mynetalias", null, OCI_CRED_EXT);

See 'Password Handling in PHP Applications' on p116 of Oracle's free PDF The Underground PHP and Oracle Manual.

0
votes

when i echo php variable $dec_conn_string it displays oci_connect("user","password","database").

So your encrypted data contains both PHP code and data. Really????!!!!!

That's bad. While it is technically possible to handle this in PHP code it is ver dangerous and inefficient.

Keep your code and data separate.

Also use an appropriate data structure for your data.

You need to re-encrypt your data. Not your code.

If I thought the approach of encrypting the credentials had any value (you've just moved the problem to the encryption key) I'd do something like....


$db=unserialize(decrypt($cyphertext,$key));
if (!($db['user'] && $db['pass'] && $db['db'])) {
     trigger_error('bad decrypt');
     exit 1;
}
oci_connect($db['user'], $db['pass'], $db['db']);

Where

$cyphertext=encrypt(serialise(array(
   'user'=>'scott', 'pass'=>'tiger','db'=>'hr'
  )),$key);