October 4th, 2000, 02:49 AM
-
Newbie question:
If I connect to a mySQL database with php I have to write the access data into the php file,eg.:
$hostname = "my_host";
$username = "my_name";
$password = "my_pwd";
$dbName = "my_db";
$userstable = "my_table";
MYSQL_CONNECT($hostname,$username,$password) OR DIE("Unable to connect to database");
Is this secure ?
In other words: can it be read by a bad boy ?
Thanks in advance
Gerhard
October 4th, 2000, 03:08 AM
-
No, but bad girls can read it...
Seriously, that's the joy of PHP. The code is parsed on the server, and only html is sent to the browser, so the person at the browser has no idea what your php code is.
I usually keep all of my database connections in a seperate file, database_inc.php, then include that file where ever I'll be connecting to a database
include("database_inc.php");
One warning about naming your file. If you name it something like database.inc, which is common, then if someone calls up the .inc file in their browser, it'll be shown to them as plain text. This will show your passwords. Either name your file .php or make sure .inc files are parsed as PHP, that way no code will be sent to the browser.
Another option is to place your .inc file outside of the web root, and include it like this:
include("../includes/database.inc")
That way, the page cannot be called up in a web browser because it's not in the web root.
Hope that helps.
---John Holmes...
------------------
************************
The manual can probably answer 90% of your questions.
PHP Manual: <A HREF="http://www.php.net/manual
MySQL" TARGET=_blank>http://www.php.net/manual
MySQL</A> Manual: <A HREF="http://www.mysql.com/documentation/mysql/bychapter/
************************" TARGET=_blank>http://www.mysql.com/documentation/mysql/bychapter/
************************</A>
October 4th, 2000, 03:12 AM
-
Thanks a lot for your enlightment, John !
October 5th, 2000, 04:40 AM
-
>>Is this secure ?
>>In other words: can it be read by a bad boy ?
Yes if the bad boy is on the same server. So I have to say that PHP as an Apache module is always insecure.
Start here to find out more -> http://www.devshed.com/Talk/Forums/F...ML/003053.html
PHP as CGI can take advantage of cgiwrap or SuEXEC. As an Apache module, let say Apache is run as "www", your php file MUST BE readable by "www". The PHP scripts of other people on your same server MUST also be readable by www. That is, the PHP scripts of your other members and yours are run as user www. So one can write a script (Perl or PHP), hint, this script runs as www user, can also read your PHP files.
So basically your $hostname,$username,$password is readable by every bad boys on your server.
October 5th, 2000, 05:02 AM
-
So if I understand right, the bad guy must:
- get an account on my server
- write an appropriate php or perl script
the data must be worth while to justify that (in my case they aren't)
Anyway, a "normal" surfer has no easy access to the php files, but I agree that this environment is not "secure".
What is the way to do it for sensible data ?
Thanks,
Gerhard
October 5th, 2000, 11:46 AM
-
>>a "normal" surfer has no easy access to the php files
Correct. Just like what SepodatiCreations mentioned.
>>What is the way to do it for sensible data ?
Not to mention if you have shell access to your host or ftpd on the server isn't chroot'd, your PHP scripts (as an Apache module) on a share server are always visible from others on the same server unless the user "www" can't even read it. If you happen to chmod it to such a permission where nobody can read it, you would have to contact your techsupport to chmod it back to the appropriate permission.
A safe way, as I said earlier is to install PHP as CGI and enable SuEXEC or get cgiwrap. But in the real world, very few public hosting is doing so. So another safe way is to host on a dedicated server but it isn't safe if you don't trust the people from your host. So, the safest way is to run your own dedicated server where nobody else could access to your box physically along with PHP as an apache module.
[This message has been edited by freebsd (edited October 05, 2000).]