Thread: Need opinion

    #1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    0
    Rep Power
    0
    Hi.
    I'm working on some project and I'm using PHP and MySQL. Project consists of couple PHP modules (files) and in every module I'm connecting to MySQL server. So, I've decided to put some common data into configuration file and every module reads data from it. Here is the sample (sample.ini):

    host=www.some_host.com
    user=some_user
    password=some_password
    database=some_database
    base=../Archive/

    I'm using this function to read data:

    function read_config()
    {
    $filename = "../config/config.ini";
    $fd = fopen ($filename, "r");
    while(!feof($fd))
    {
    $line = chop(fgets($fd,128));
    $arr=split("=",$line) ;
    $ret[$arr[0]]=$arr[1];
    }
    fclose ($fd);
    return $ret;
    }

    Finaly, this is how I use it:

    $cfg=read_config();

    $base=$cfg["base"];
    $host=$cfg["host"];
    $user=$cfg["user"];
    $password=$cfg["password"];
    $database=$cfg["database"];
    .
    .
    .
    $cid=mysql_pconnect($host,$user,$password)

    My questions are:

    Is this safe method? Is there a chance that someone can "steal" config.ini file?
    I think speed issue isn't a problem because file is on a local server so overhead is small.

    What about mysql_pconnect? Every module connects to server using mysql_pconnect, does this mean that only first module (that connects to servers) creates connection and others reuse it?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2000
    Posts
    669
    Rep Power
    15
    Hum? Why not just have your config file look like this:
    <?
    $dbhost = "localhost";
    $dbuser = "username";
    $dbpass = "password";
    $dbname = "dbname";

    $db = mysql_connect($dbhost, $dbuser, $dbpass);
    mysql_select_db($dbname, $db);
    ?>

    And jsu treference the connection by calling on $db;
  4. #3
  5. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,645
    Rep Power
    4492
    Also, if someone typed config.ini into their web browser, it would be shown to them as plain text, unless you have your web server set up to parse .ini files as php. Even though they would have to guess at the name, it would be a security violation to be able to see the plain text of your file with your password info....

    ---John Holmes...
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    0
    Rep Power
    0
    <BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by freddydoesphp:
    Hum? Why not just have your config file look like this:
    <?
    $dbhost = "localhost";
    .
    .
    .
    ?>

    And jsu treference the connection by calling on $db;
    [/quote]

    It was for the first time, but what if I change user, or password or database? This means that I must change all php scripts. In this manner, it's done only in one file.
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    0
    Rep Power
    0
    <BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by SepodatiCreations:
    Also, if someone typed config.ini into their web browser, it would be shown to them as plain text, unless you have your web server set up to parse .ini files as php. Even though they would have to guess at the name, it would be a security violation to be able to see the plain text of your file with your password info....

    ---John Holmes...
    [/quote]

    But, is there any way to give access to this file only by PHP script but not by browser?

  10. #6
  11. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Location
    Sydney, Australia
    Posts
    5
    Rep Power
    0
    <BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by deltaplan:
    It was for the first time, but what if I change user, or password or database? This means that I must change all php scripts. In this manner, it's done only in one file.[/quote]
    Freddydoesphp's example is the same, that info is stored in one files that is referenced by all the others, using something like:
    include(config.php);

    HTH
    Graham

  12. #7
  13. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,645
    Rep Power
    4492
    If you don't want the browser to access the .ini file, place it outside of your web root and use include(). If your filesystem looks like this...

    /home/www/
    /home/include/

    Then you could have a file /home/www/page.php that has a command like

    include("../include/config.ini");

    It'll include the file, where you set you're variables, but it can't be brought up in a web browser.

    Hope that helps.

    ---John Holmes...
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2000
    Posts
    669
    Rep Power
    15
    Yes as stated above, you can just include that one page on any page that you want to use db access, and by include I don't mean copy and paste simply use
    include("/pathtofile/db.inc");
    That way you can change jsut one file and update all scripts. Since it is in php tags as long as your server is set to parse .inc as php no browser will be able to see it, since it will get parsed before it gets to th screen. If your server is not set that way just name it db.php db.php3 whatever your server is set to.
  16. #9
  17. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,645
    Rep Power
    4492
    If something happens to the server so that it stop parsing PHP files, then everything will appear as text and anyone can see what's in config.ini.

    The only safe way to make sure that a browser cannot see the contents of config.ini or config.ini.php or whatever.whatever is to place it outside of your webroot...

    You take chances otherwise...small chances, yes, but chances none the less....

    ---John Holmes...

    [This message has been edited by SepodatiCreations (edited October 21, 2000).]
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2000
    Posts
    669
    Rep Power
    15
    Fair enough John, how ever I never store anything that is valuable enough to warrant that much thought into. But I also store my paswwords and such outside the webroot
  20. #11
  21. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    0
    Rep Power
    0
    Thank you all boys and girsl!

Similar Threads

  1. What 's your opinion about it?
    By CheckISP in forum Web Hosting
    Replies: 1
    Last Post: November 14th, 2003, 04:44 PM
  2. Perl vs PHP, I need your opinion!
    By suzanasjoqvist in forum Perl Programming
    Replies: 7
    Last Post: April 2nd, 2003, 09:48 AM
  3. Perl vs PHP, I need your opinion!
    By suzanasjoqvist in forum PHP Development
    Replies: 2
    Last Post: April 1st, 2003, 11:54 AM
  4. Your opinion?
    By pabloj in forum Dev Shed Lounge
    Replies: 2
    Last Post: January 5th, 2002, 04:24 PM
  5. Need an opinion.
    By robotboy in forum PHP Development
    Replies: 8
    Last Post: July 8th, 2001, 12:49 PM

IMN logo majestic logo threadwatch logo seochat tools logo