where to store mysql_connect username and password

by **mindows** » Mon Feb 24, 2003 8:01 pm

how do people store their username and password for mysql_connect? it seems like most people just store it in an include file, but wouldn't it be dangerous to store in a php file? if the webserver fails to handle the php file incorrectly, couldn't the php source be viewable through the browse?
it seems like you can also define a default username/password in php.ini, but they indicate that it could be easily read by anyone who can view your environment variables.

so, how can i store mysql username/password securely?

by **Romantik** » Tue Feb 25, 2003 12:52 am

Code: Select all: <? # config.php $dbName= "dbName"; $dbUser= "dbUser"; $dbPass= "dbUserPass"; $dbServer= "dbServer"; $dbh= mysql_connect(....)or die(...); $res= mysql_select_db(.....)or die(...); ?> // We bear this file for limits server <? #YourScript.php require_once("YourPath/config.php"); // Your Code ?>

by **mindows** » Tue Feb 25, 2003 5:43 am

Romantik wrote:
Code: Select all
<? # config.php $dbName= "dbName"; $dbUser= "dbUser"; $dbPass= "dbUserPass"; $dbServer= "dbServer"; $dbh= mysql_connect(....)or die(...); $res= mysql_select_db(.....)or die(...); ?> // We bear this file for limits server <? #YourScript.php require_once("YourPath/config.php"); // Your Code ?>

don't you still have to have rx permissions on config.php in order for require to work?

by **Oleg Butuzov** » Tue Feb 25, 2003 7:07 am

just do it... test it.

by **mindows** » Tue Feb 25, 2003 7:58 am

Pejone wrote:just do it... test it.

i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.

by **pootergeist** » Tue Feb 25, 2003 2:45 pm

you probably just want to put it beyond public access and sling a .htaccess in the folder to assure calling headers included your domain as the request_uri

by **mindows** » Tue Feb 25, 2003 3:16 pm

pootergeist wrote:you probably just want to put it beyond public access and sling a .htaccess in the folder to assure calling headers included your domain as the request_uri

ok. I use a php hosting service that hosts about 30 some php sites on a linux machine. I can't just rely on some honor system where other acounts on the same linux machine won't look at my config.php. I just did a quick grep on a machine and found a bunch of mysql_connect statements. This is very disappointing.

by **Redcircle** » Tue Feb 25, 2003 6:47 pm

on a shared server there is really not much you can do.

by **Oleg Butuzov** » Tue Feb 25, 2003 10:40 pm

mindows wrote:i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.

1) Who is nike?
2) Anyone can read vars from script if thay using your server...

by **Redcircle** » Wed Feb 26, 2003 12:57 am

amallah wrote:So, if you run a web hosting service, pretty much security is down the drain? Are we saying that PHP is not meant for professional hosting then? If I have a database of user credit card numbers, then it's pretty much a free for all if you can get any type of access to the box?

It all depends on how the server has thier configuration. Most systems it is secure enough to make it difficult for people to get into and have resrictions from people accessing scripts cross domain. What I would do for your config.inc.php is make a dir behind the public_html. The only thing is no system is hacker proof. Credit Cards should NEVER be stored on a shared server. no exceptions.

by ****TVH*** » Sun Mar 09, 2003 8:38 am

mindows wrote:
Pejone wrote:just do it... test it.

i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.

PHP provide a lots of encrypt function, use it to protect your database info.

where to store mysql_connect username and password

where to store mysql_connect username and password

Who is online