MySQL connection credentials
Description
This vulnerability identifies source code files that contain hardcoded MySQL database credentials within mysql_connect() or mysql_pconnect() function calls. When database connection parameters such as hostnames, usernames, and passwords are embedded directly in application code, they become exposed to anyone with access to the file system or source code repository. This practice violates secure credential management principles and creates significant security risks in production environments.
Remediation
Immediately remove hardcoded database credentials from all source code files and implement secure credential management practices:
1. Move credentials to environment variables or configuration files: Store database credentials outside the codebase in environment variables or secure configuration files with restricted file permissions (chmod 600).
2. Use a secrets management solution: Implement a dedicated secrets management system such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault for production environments.
3. Update connection code: Modify database connection calls to retrieve credentials from secure sources:
// Instead of:
$conn = mysql_connect('localhost', 'hardcoded_user', 'hardcoded_pass');
// Use environment variables:
$conn = mysql_connect(
getenv('DB_HOST'),
getenv('DB_USER'),
getenv('DB_PASSWORD')
);
4. Rotate compromised credentials: Change all exposed passwords immediately and audit database access logs for unauthorized activity.
5. Implement access controls: Ensure configuration files containing credentials are not web-accessible and are excluded from version control systems using .gitignore or equivalent mechanisms.
6. Apply principle of least privilege: Use database accounts with minimal necessary permissions rather than administrative credentials.