Here’s my basic setup…
I have a website that will be used for employees to log in, and submit things like timesheet forms, purchases, etc. The website is written with some basic HTML and then has some PHP on the backend to run some SQL queries to pull/send some information to/from a Microsoft Access Database being hosted on the same server as the website.
My question is this… if somebody got an employees password to log onto the site, how easy would it be for them to view the contents of my database? I honestly have no intuition or clues to guide me here, so I’m asking for some help. Currently set up there is really no protection going on here, so if it is quite easy to access the database, I would like some pointers on how to secure it.
That all depends on the permissions and the connection strings. The same risk applies to the above scenario as what I posted below, but having valid credentials can certainly make it easier to get at the database.
Even if they didn’t get someone’s password, it’s possible for someone to access your database if the website is vulnerable to SQL Injection.
There are far too many variables to fully cover securing your database on this forum. But here are a few good places to start.
Finally, I know you said you’re using PHP, not ASP.NET but I’m going to suggest the following link anyway. It goes way beyond just code, including threat modeling, common risks, etc. It is an excellent resource even if you’re not a .NET developer.