Good replies above there I think. What evidence do you have that they actually breached the db server? Could that information have been gathered in other ways?
Anyways, stuff to check would be;
- don’t write your own SQL, use the CI db class (helps your sanity and preventing SQL injection).
- “Shouldn’t all the PHP be parsed before anything leaves the server?” Jelmer covered that, one addition is stopping parsing of PHP by the web server is possible but would require modifications to the web server’s configuration itself, and there’s probably easier ways to get at your source than getting control of the httpd, so that seems unlikely.
My bets would be
1) it’s the shared hosting, so many of them are wide open once you have an account on there.
2) db credentials were stored in the PHP source instead of elsewhere, and someone browsed your source.
3) use of FTP credentials which were sniffed.
4) you got XSS’ed or XSRF’ed and they stole an admin session off you for your app, or PHP db management interface or similar.
One thing to ensure is to be a tight as possible with the db authentication credentials, i.e. only allow access from certain IP’s with long, strong passwords, ensure you have changed the admin password after install etc. as then at least they have to be able to modify files on your web app server to get at the data (yep IP’s can be spoofed but that’s non-trivial). Otherwise they can sit there and try to brute-force the mysqld.
Encrypting communications to a remote db server would prevent wire-sniffing type attacks (assuming they know where your db server is), but that’s quite a processor overhead & there’s easier ways to get at that data by the sound of it. When the db is on the same local box the connection is via unix local sockets not over the wire, so they can’t port-sniff you (if the db is properly locked down to only accept connections via unix local sockets or 127.0.0.1 or something). If it is on shared hosting still, it is possible for another user to snoop on that unix local socket connection but it’s not trivial IIRC. If you are on shared hosting you have bigger security issues, so I wouldn’t bother encrypting the connection to a local mysqld.
Edit: there are several gotchas to running mysqld’s on a local machine, mainly don’t enter passwords from the shell (they may show up in the process list) and turn off networking in the my.cnf. I suggest you read up on securing mysqld’s before setting it up