5

So I am creating a web api for an app I am making. The data is sanitized before it is sent to my web api and then encrypted before it is stored in my MySql server.

The phone app sanitizes then behind the scenes calls -> web php api which encrypts aes style with a hard coded salt then calls -> server

My question is if I hard code a salt value into the php page is it at risk on a go daddy server?

I mean I know NOTHING is truly secure however what are the odds that someone would be able to hack a go daddy server and see my php source code. Assuming they disassemble my app and see the URL call to the api.

Since php code executes on the server I am assuming that there is no way to extract it?

Improve this question
2
  • 1
    Perhaps better asked at the security SE site? (btw please don't re-post, but flag for moderator attention to have your question migrated). Commented Jul 31, 2013 at 8:09
  • Given GoDaddy's security record plus using PHP means pushing the source code to the server means Security.SE's will advocate better key management practices will be required. Commented Jul 31, 2013 at 8:18

2 Answers 2

Reset to default
1

So I just wanted to follow up on this question now that I'm a little more seasoned as an engineer.

One work around to this I've found is putting sensitive information, api keys, salts, etc etc into json config files that are outside the scope of the webserver. I usually stick it under /var/securelocation/websiteconfig.json. Then when I write a php script I load that json config file into a php object and I access the properties I need.

This method is nice because it not only reduces the chance you'll leak your sensitive info if there's a problem with your php or webserver but it also makes it very easy to upload your code to GitHub without having to sanitize it. Just provide an example json file for the next user and that's it!

Improve this answer
0

I would say that it is very common practice to put constants (passwords, salts etc.) in php files.

How could you store your salt else? In a database? Where do you put your database credentials - again in the source code. You can also store it in an include file (.inc) and use that in your php code. It does not matter very much.

Speaking of GoDaddy: I have no clue if that hoster is more secure than another hoster, but technically it is all the same.

Improve this answer
6
  • 2
    Re security: GoDaddy have had major hacking related breaches in 2010 and 2011 plus outages in 2012 and earlier this year. Commented Jul 31, 2013 at 10:43
  • @JamesSnell Oh I know ALLLLLL about the outages..... That's how I got half off on my current delux hosting plan lol. So irritatating. Commented Jul 31, 2013 at 11:11
  • @TMS Thank you so much for the clear answer. My gut told me it was secure since it only returns text and no php source. Thought I would ask though. Commented Jul 31, 2013 at 11:12
  • @AMR There is the possiblity to return the code of a script, but that needs more than just HTTP/GET access - which must be enabled on the server itself: and if you can do that, you can also just 'view' the source on the server. Otherwise the script will always return the output (the html) or an errormessage. Commented Jul 31, 2013 at 14:45
  • 1
    @AMR I could not find it right now, but I think it was an some kind of plungin or extension for the webserver/apache. It can't be done client-side only. See also on stackoverflow Commented Jul 31, 2013 at 15:04

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.