Best way to secure a PHP web service / relevant connection data?

So I am currently building an application that uses PHP as a web service which subsequently talks to the database in which I store my data. I have chosen to take this route because I am going to have a front-end application that will talk to the database and will be distributed and I do not want to contain any sensitive connection data within it. As of right now, here is how my application work开发者_JAVA技巧s:

1) Client-side application packages data as JSON and sends it via AJAX to the external PHP web service.

2) The PHP web service receives the request and validates it. This validation is done by checking that the correct parameters were supplied via the query string, that the JSON string that was passed along is valid JSON, that the properties within the json_decoded JSON object have the same names as the JSON object that I'm expecting, and that the value types of each property are of the correct type of the JSON object that I'm expecting.

3) If the JSON is valid then the PHP connects to a database and calls the stored procedure that corresponds with the input parameters. The connection data is kept in a separate config.php file and included in the web service.

4) If the database call succeeds, any relevant data is returned to the caller via JSON. Any errors that occur will kill the thread and return an error to the client.

Now, with this architecture, are there any screaming vulnerabilities that anyone sees? In order to better protect the connection data (as that is primarily what I would like to keep hidden from users) I am thinking about doing the following:

-Encoding the data in the config.php in a base of my choosing and then decoding it when connecting to the database.

-Obfuscating both the service and the config files.

Does this sound like enough in terms of protecting my connection values? Is there a better way to store sensitive connection data aside from a config.php file? Is there a way for somebody to easily get access to the .php file that contains the sensitive data? Any advice that you all can give me as to how to further secure this application from attacks would be greatly appreciated.

Best regards,

You could use the PHP OpenSSL libraries to encrypt sensitive data in your configuration files (rather than using security through obscurity). First use OpenSSL to generate a PKCS #12 certificate, then create a PHP page that uses the OpenSSL libraries to import that certificate and encrypt a section, or the whole, configuration file. Then from your PHP code that connects to the database, import that certificate again, and decrypt your sensitive configuration data, then use it to connect to the database. Depending on the size of the data you want to encrypt you may have to envelope the data with AES, then use the RSA keys to encrypt the AES key. This is getting a little complicated for everyone to implement themselves, I think I'm going to write a library for this, thanks for the idea.

Other than that, seems like you have some pretty good security.

From a server point of view...

If your database is on a separate server (which I'd recommend) - lock down the firewall to only accept requests from your web server.

You'd basically only allow access on port 3306 from the IP of your web server. If you're using something like Amazon Web Services this config is really easy to setup.

That way even if someone got the login credentials you'd have another barrier to entry.

Also, I'd make sure you're not on shared hosting, get a decent dedicated server for the web server with a reputable hosting provider that has a good SLA.