I am working on a basic mysql application that will essentially take all of the data from a database and display it, with the only real user interaction being the ability to sort them. Since there is no place where the user will be able to input any data, I feel relatively safer creating this. The main issue I am worried about is when the app will have to log into the server. I created a separate user name on the server, and limited the privileges in the database so that particular user may only “select” data. I fear that this still exposes the location of the server. Should I encrypt this step? Are there any other security concerns I should guard against given this scenario?
If you need more information, I will happily add it on here.
UPDATE
It may be useful to know that the main function of this is to catalog merch for the purpose of commerce. None of the info in this database will be private. The commerce will occur with the help of a third party ecommerce site. I want to access the database using php mysqli and display it as html. The site is on a shared commercial server.
You should still use prepared queries for making the SQL queries in case the system later needs to support more kinds of queries (or if the system DB accounts are misconfigured or something similar.).
The location of your server doesn’t need to be hidden, as long as it’s sufficiently protected. You shouldn’t rely on the attacker not knowing where the server is because they can usually figure that out. If your application knows the location of the server, it’s safe to assume that the attacker can get it as well.
Instead focus your security on securing the server. Minimize the accounts on the server, ensure they have non-default (and non-trivial) passwords, make sure the software is up to date, etc.