Board index   FAQ   Search  
Register  Login
Board index php forum :: Database mySQL & php coding

where to store mysql_connect username and password

Codes here !

Moderators: macek, egami, gesf

where to store mysql_connect username and password

Postby mindows » Mon Feb 24, 2003 8:01 pm

how do people store their username and password for mysql_connect? it seems like most people just store it in an include file, but wouldn't it be dangerous to store in a php file? if the webserver fails to handle the php file incorrectly, couldn't the php source be viewable through the browse?
it seems like you can also define a default username/password in php.ini, but they indicate that it could be easily read by anyone who can view your environment variables.

so, how can i store mysql username/password securely?
mindows
New php-forum User
New php-forum User
 
Posts: 4
Joined: Mon Feb 24, 2003 7:51 pm

Postby Romantik » Tue Feb 25, 2003 12:52 am

Code: Select all
<? # config.php
$dbName=  "dbName";
$dbUser=    "dbUser";
$dbPass=    "dbUserPass";
$dbServer=  "dbServer";

$dbh= mysql_connect(....)or die(...);
$res= mysql_select_db(.....)or die(...);
?>
// We bear this file for limits server
<? #YourScript.php
require_once("YourPath/config.php");
// Your Code
?>
Romantik
New php-forum User
New php-forum User
 
Posts: 67
Joined: Mon Feb 24, 2003 2:55 am
Location: ../Ukraine/Kherson

Postby mindows » Tue Feb 25, 2003 5:43 am

Romantik wrote:
Code: Select all
<? # config.php
$dbName=  "dbName";
$dbUser=    "dbUser";
$dbPass=    "dbUserPass";
$dbServer=  "dbServer";

$dbh= mysql_connect(....)or die(...);
$res= mysql_select_db(.....)or die(...);
?>
// We bear this file for limits server
<? #YourScript.php
require_once("YourPath/config.php");
// Your Code
?>


don't you still have to have rx permissions on config.php in order for require to work?
mindows
New php-forum User
New php-forum User
 
Posts: 4
Joined: Mon Feb 24, 2003 7:51 pm

Postby Oleg Butuzov » Tue Feb 25, 2003 7:07 am

just do it... test it.
Oleg Butuzov
Last Samuray
Last Samuray
 
Posts: 831
Joined: Sun Jun 02, 2002 3:09 am

Postby mindows » Tue Feb 25, 2003 7:58 am

Pejone wrote:just do it... test it.


i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.
mindows
New php-forum User
New php-forum User
 
Posts: 4
Joined: Mon Feb 24, 2003 7:51 pm

Postby pootergeist » Tue Feb 25, 2003 2:45 pm

you probably just want to put it beyond public access and sling a .htaccess in the folder to assure calling headers included your domain as the request_uri
pootergeist
New php-forum User
New php-forum User
 
Posts: 191
Joined: Wed Jan 29, 2003 7:11 am
Location: UK

Postby mindows » Tue Feb 25, 2003 3:16 pm

pootergeist wrote:you probably just want to put it beyond public access and sling a .htaccess in the folder to assure calling headers included your domain as the request_uri



ok. I use a php hosting service that hosts about 30 some php sites on a linux machine. I can't just rely on some honor system where other acounts on the same linux machine won't look at my config.php. I just did a quick grep on a machine and found a bunch of mysql_connect statements. This is very disappointing.
mindows
New php-forum User
New php-forum User
 
Posts: 4
Joined: Mon Feb 24, 2003 7:51 pm

Postby Redcircle » Tue Feb 25, 2003 6:47 pm

on a shared server there is really not much you can do.
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

Postby Oleg Butuzov » Tue Feb 25, 2003 10:40 pm

mindows wrote:i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.


1) Who is nike?
2) Anyone can read vars from script if thay using your server...
Oleg Butuzov
Last Samuray
Last Samuray
 
Posts: 831
Joined: Sun Jun 02, 2002 3:09 am

Postby Redcircle » Wed Feb 26, 2003 12:57 am

amallah wrote:So, if you run a web hosting service, pretty much security is down the drain? Are we saying that PHP is not meant for professional hosting then? If I have a database of user credit card numbers, then it's pretty much a free for all if you can get any type of access to the box?


It all depends on how the server has thier configuration. Most systems it is secure enough to make it difficult for people to get into and have resrictions from people accessing scripts cross domain. What I would do for your config.inc.php is make a dir behind the public_html. The only thing is no system is hacker proof. Credit Cards should NEVER be stored on a shared server. no exceptions.
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

Postby **TVH* » Sun Mar 09, 2003 8:38 am

mindows wrote:
Pejone wrote:just do it... test it.


i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.


PHP provide a lots of encrypt function, use it to protect your database info.
**TVH*
New php-forum User
New php-forum User
 
Posts: 3
Joined: Wed Oct 02, 2002 6:18 am
Location: Vietnam


Return to mySQL & php coding

Who is online

Users browsing this forum: No registered users and 2 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.