February 29th, 2000, 04:31 AM
I am very new with php and web content in general, and my concern is with my novice ability leaving huge secuirty holes for any joker to have there way with.
Here is my current thought.
If I have a php script in a public html fodler named index.php3 how secure is this if at all.
Say I have a line like:
How easy is it for people to get the host,account,password.
Any info would be greate, and if this is a huge security violation what would be a better approach.
February 29th, 2000, 06:32 AM
The security issue depends in a way on the rights the specific account, used in your code, has. If this account has all the rights to for instance delete, create and update fields and even tables the security issue is greater than when the rights are only confined to using select statements.
Most important, however, is the way the rest of the PHP-page is written. In general if the PHP-page is written safely (so for instance no possibility to upload files, without any check, or to give commands to the php-parser) the security is only dependent on the safety of the web server.
This is what I know through my knowledge of the different languages, but since I do not have any formal education or experience in security issues, so if some pieces of this story are not 100% correct feel free to correct me.
Boradoli Web Design
February 29th, 2000, 09:02 AM
Ramon is on target with security being a function of good, solid PHP coding and nailing down directory permissions but if you're concerned about the public HTML directory being compromised, you can make an include directory above document root which contains any info (usernames, passwords) and functions you would rather not have below document root.
Say your document root is '/www/domain/HTML/'
Then in '/www/domain/include' you can store your sensitive information in a file called access.inc or similar...
Then in your HTML document you could have something like...
then connect to MySQL using the variables from access.inc
$link=mysql_connect($hostname, $username, $password);
February 29th, 2000, 10:40 AM
I think think the idea to put the login data into an external include file above the base directory is good and will work for me.
At least with my limited security knowledge it seems more secure.
Thanks for the help.