Php Hardcoded Db Password
Description
Identifies PHP database connections that use hardcoded passwords in mysqli_connect() or mysqli constructor calls. This is a security risk as embedding credentials directly in source code could lead to password exposure through code access or version control systems.
Detection Strategy
• Scans for database connection calls using mysqli_connect() or mysqli constructor
• Examines the password parameter (third argument) in the connection call
• Reports a vulnerability if the password is a hardcoded string rather than a variable or configuration value
• Example vulnerable code: mysqli_connect('localhost', 'user', 'password123')
• Example secure code: mysqli_connect($host, $username, $password)
Vulnerable code example
<?php
// Direct use of hardcoded credentials in database connection
$conn = mysqli_connect("localhost", "root", "secretpass123!", "mydb"); // Unsafe: Hardcoded password in connection
// Using a hardcoded password variable
$password = "Secure@Pass2023";
$db = new mysqli("localhost", "admin", $password, "testdb"); // Unsafe: Using hardcoded password variable✅ Secure code example
<?php
// Get database credentials from environment variables
$host = getenv('DB_HOST'); // Safe: Credentials from environment vars
$user = getenv('DB_USER');
$password = getenv('DB_PASS');
$dbname = getenv('DB_NAME');
// Check if environment variables are set before connecting...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.