Newbie question:
If I connect to a mySQL database with php I have to write the access data into the php file,eg.:
$hostname = "my_host";
$username = "my_name";
$password = "my_pwd";
$dbName = "my_db";
$userstable = "my_table";
MYSQL_CONNECT($hostname,$username,$password) OR DIE("Unable to connect to database");
Is this secure ?
In other words: can it be read by a bad boy ?
Thanks in advance
Gerhard
-
No Profile PictureContributing UserDevshed Newbie (0 - 499 posts)
- Join Date
- Feb 2000
- Posts
- 77
- Rep Power
- 18
-
Banned (not really)Devshed Supreme Being (6500+ posts)
- Join Date
- Dec 1999
- Location
- Caro, Michigan
- Posts
- 14,764
- Rep Power
- 4536
No, but bad girls can read it...
Seriously, that's the joy of PHP. The code is parsed on the server, and only html is sent to the browser, so the person at the browser has no idea what your php code is.
I usually keep all of my database connections in a seperate file, database_inc.php, then include that file where ever I'll be connecting to a database
include("database_inc.php");
One warning about naming your file. If you name it something like database.inc, which is common, then if someone calls up the .inc file in their browser, it'll be shown to them as plain text. This will show your passwords. Either name your file .php or make sure .inc files are parsed as PHP, that way no code will be sent to the browser.
Another option is to place your .inc file outside of the web root, and include it like this:
include("../includes/database.inc")
That way, the page cannot be called up in a web browser because it's not in the web root.
Hope that helps.
---John Holmes...
------------------
************************
The manual can probably answer 90% of your questions.
PHP Manual: <A HREF="http://www.php.net/manual
MySQL" TARGET=_blank>http://www.php.net/manual
MySQL</A> Manual: <A HREF="http://www.mysql.com/documentation/mysql/bychapter/
************************" TARGET=_blank>http://www.mysql.com/documentation/mysql/bychapter/
************************</A> -
No Profile PictureContributing UserDevshed Newbie (0 - 499 posts)
- Join Date
- Feb 2000
- Posts
- 77
- Rep Power
- 18
Thanks a lot for your enlightment, John !
-
No Profile PicturefreebsdGuestDevshed Newbie (0 - 499 posts)
>>Is this secure ?
>>In other words: can it be read by a bad boy ?
Yes if the bad boy is on the same server. So I have to say that PHP as an Apache module is always insecure.
Start here to find out more -> http://www.devshed.com/Talk/Forums/F...ML/003053.html
PHP as CGI can take advantage of cgiwrap or SuEXEC. As an Apache module, let say Apache is run as "www", your php file MUST BE readable by "www". The PHP scripts of other people on your same server MUST also be readable by www. That is, the PHP scripts of your other members and yours are run as user www. So one can write a script (Perl or PHP), hint, this script runs as www user, can also read your PHP files.
So basically your $hostname,$username,$password is readable by every bad boys on your server. -
No Profile PictureContributing UserDevshed Newbie (0 - 499 posts)
- Join Date
- Feb 2000
- Posts
- 77
- Rep Power
- 18
So if I understand right, the bad guy must:
- get an account on my server
- write an appropriate php or perl script
the data must be worth while to justify that (in my case they aren't)
Anyway, a "normal" surfer has no easy access to the php files, but I agree that this environment is not "secure".
What is the way to do it for sensible data ?
Thanks,
Gerhard -
No Profile PicturefreebsdGuestDevshed Newbie (0 - 499 posts)
>>a "normal" surfer has no easy access to the php files
Correct. Just like what SepodatiCreations mentioned.
>>What is the way to do it for sensible data ?
Not to mention if you have shell access to your host or ftpd on the server isn't chroot'd, your PHP scripts (as an Apache module) on a share server are always visible from others on the same server unless the user "www" can't even read it. If you happen to chmod it to such a permission where nobody can read it, you would have to contact your techsupport to chmod it back to the appropriate permission.
A safe way, as I said earlier is to install PHP as CGI and enable SuEXEC or get cgiwrap. But in the real world, very few public hosting is doing so. So another safe way is to host on a dedicated server but it isn't safe if you don't trust the people from your host. So, the safest way is to run your own dedicated server where nobody else could access to your box physically along with PHP as an apache module.
[This message has been edited by freebsd (edited October 05, 2000).]
October 4th, 2000, 02:49 AM
Reply With Quote
October 4th, 2000, 03:08 AM
October 4th, 2000, 03:12 AM
October 5th, 2000, 04:40 AM
October 5th, 2000, 05:02 AM
October 5th, 2000, 11:46 AM
Similar Threads
-
Session_start() breaks access to data object
By phoebebright in forum PHP DevelopmentReplies: 3Last Post: February 11th, 2004, 03:32 AM -
Getting data from different tables in Mysql with PHP
By Bosw8er in forum PHP DevelopmentReplies: 3Last Post: February 10th, 2004, 04:25 PM -
Search a file for 3 different strings and create an Array or file from data
By lisamar1 in forum Perl ProgrammingReplies: 2Last Post: February 6th, 2004, 07:25 AM -
PHP file upload script trouble
By casbboy in forum PHP DevelopmentReplies: 9Last Post: February 5th, 2004, 07:42 PM -
Can I retrieve data from mySQL and display with PHP in <option>
By spank in forum PHP DevelopmentReplies: 1Last Post: February 5th, 2004, 11:03 AM
