SQL Database Connection Linked File - Security Concern

Hi Wappler team,

I was having a look at the action connection file that is created in ..\dmxConnect\modules\Connections\connection1.php when the link icon is clicked:

and I noticed the credentials are stored in clear text:

image.jpg2418×695 186 KB

What advice can you share about this feature so that it may be used securely? I was surprised to see this information in plain text but maybe you can assuage my concerns. Or would you advise that this feature not be used in Production?

Thanks!

Being a PHP file that is compiled by the server, you will find that the live version will not divulge any information at all, it is a blank document.

Hey @ben, that’s good to know thanks. Obviously that is good news if someone unauthorized happens to get to it via browser, but what if they somehow access it via FTP? From there they could easily pivot into the database. In any development work I do, I always take a security-first approach and that includes finding ways to reduce the attack surface.

It would be nice if Wappler had a better way of storing this information as opposed to having it reside un-obfuscated in project source code. I wonder if choosing not to save it to an Server Connect action connection file would be more secure?

Hi @fatherofinvention
There is nothing to worry about, that’s not a security risk and that’s not something Wappler specific.
That’s how you setup a connection to your database using PHP - there is always a file storing this data you can learn more here: https://www.w3schools.com/php/php_mysql_connect.asp

As Ben explained the PHP files are being compiled on the server, even if someone somehow has a link to this file, they will see a blank page.

Hey there @Teodor !

Thank you, as I have mentioned before I don’t have any PHP experience so I appreciate the education here. Good to know this is a perfectly safe and standard practice.