#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Posts
    77
    Rep Power
    15
    Newbie question:
    If I connect to a mySQL database with php I have to write the access data into the php file,eg.:

    $hostname = "my_host";
    $username = "my_name";
    $password = "my_pwd";
    $dbName = "my_db";
    $userstable = "my_table";
    MYSQL_CONNECT($hostname,$username,$password) OR DIE("Unable to connect to database");

    Is this secure ?

    In other words: can it be read by a bad boy ?

    Thanks in advance
    Gerhard

  2. #2
  3. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,640
    Rep Power
    4476
    No, but bad girls can read it...

    Seriously, that's the joy of PHP. The code is parsed on the server, and only html is sent to the browser, so the person at the browser has no idea what your php code is.

    I usually keep all of my database connections in a seperate file, database_inc.php, then include that file where ever I'll be connecting to a database

    include("database_inc.php");

    One warning about naming your file. If you name it something like database.inc, which is common, then if someone calls up the .inc file in their browser, it'll be shown to them as plain text. This will show your passwords. Either name your file .php or make sure .inc files are parsed as PHP, that way no code will be sent to the browser.

    Another option is to place your .inc file outside of the web root, and include it like this:

    include("../includes/database.inc")

    That way, the page cannot be called up in a web browser because it's not in the web root.

    Hope that helps.

    ---John Holmes...

    ------------------
    ************************
    The manual can probably answer 90% of your questions.

    PHP Manual: <A HREF="http://www.php.net/manual

    MySQL" TARGET=_blank>http://www.php.net/manual

    MySQL</A> Manual: <A HREF="http://www.mysql.com/documentation/mysql/bychapter/
    ************************" TARGET=_blank>http://www.mysql.com/documentation/mysql/bychapter/
    ************************</A>
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Posts
    77
    Rep Power
    15
    Thanks a lot for your enlightment, John !
  6. #4
  7. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>Is this secure ?
    >>In other words: can it be read by a bad boy ?

    Yes if the bad boy is on the same server. So I have to say that PHP as an Apache module is always insecure.

    Start here to find out more -> http://www.devshed.com/Talk/Forums/F...ML/003053.html

    PHP as CGI can take advantage of cgiwrap or SuEXEC. As an Apache module, let say Apache is run as "www", your php file MUST BE readable by "www". The PHP scripts of other people on your same server MUST also be readable by www. That is, the PHP scripts of your other members and yours are run as user www. So one can write a script (Perl or PHP), hint, this script runs as www user, can also read your PHP files.

    So basically your $hostname,$username,$password is readable by every bad boys on your server.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2000
    Posts
    77
    Rep Power
    15
    So if I understand right, the bad guy must:

    - get an account on my server
    - write an appropriate php or perl script

    the data must be worth while to justify that (in my case they aren't)

    Anyway, a "normal" surfer has no easy access to the php files, but I agree that this environment is not "secure".

    What is the way to do it for sensible data ?

    Thanks,
    Gerhard
  10. #6
  11. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>a "normal" surfer has no easy access to the php files

    Correct. Just like what SepodatiCreations mentioned.

    >>What is the way to do it for sensible data ?

    Not to mention if you have shell access to your host or ftpd on the server isn't chroot'd, your PHP scripts (as an Apache module) on a share server are always visible from others on the same server unless the user "www" can't even read it. If you happen to chmod it to such a permission where nobody can read it, you would have to contact your techsupport to chmod it back to the appropriate permission.

    A safe way, as I said earlier is to install PHP as CGI and enable SuEXEC or get cgiwrap. But in the real world, very few public hosting is doing so. So another safe way is to host on a dedicated server but it isn't safe if you don't trust the people from your host. So, the safest way is to run your own dedicated server where nobody else could access to your box physically along with PHP as an apache module.

    [This message has been edited by freebsd (edited October 05, 2000).]

Similar Threads

  1. Session_start() breaks access to data object
    By phoebebright in forum PHP Development
    Replies: 3
    Last Post: February 11th, 2004, 03:32 AM
  2. Getting data from different tables in Mysql with PHP
    By Bosw8er in forum PHP Development
    Replies: 3
    Last Post: February 10th, 2004, 04:25 PM
  3. Replies: 2
    Last Post: February 6th, 2004, 07:25 AM
  4. PHP file upload script trouble
    By casbboy in forum PHP Development
    Replies: 9
    Last Post: February 5th, 2004, 07:42 PM
  5. Replies: 1
    Last Post: February 5th, 2004, 11:03 AM

IMN logo majestic logo threadwatch logo seochat tools logo