where to store mysql_connect username and password

Codes here !

Moderators: macek, egami, gesf

mindows
New php-forum User
New php-forum User
Posts: 4
Joined: Mon Feb 24, 2003 7:51 pm

where to store mysql_connect username and password

Postby mindows » Mon Feb 24, 2003 8:01 pm

how do people store their username and password for mysql_connect? it seems like most people just store it in an include file, but wouldn't it be dangerous to store in a php file? if the webserver fails to handle the php file incorrectly, couldn't the php source be viewable through the browse?
it seems like you can also define a default username/password in php.ini, but they indicate that it could be easily read by anyone who can view your environment variables.

so, how can i store mysql username/password securely?

Romantik
New php-forum User
New php-forum User
Posts: 67
Joined: Mon Feb 24, 2003 2:55 am
Location: ../Ukraine/Kherson
Contact:

Postby Romantik » Tue Feb 25, 2003 12:52 am

Code: Select all

<? # config.php
$dbName=  "dbName";
$dbUser=    "dbUser";
$dbPass=    "dbUserPass";
$dbServer=  "dbServer";

$dbh= mysql_connect(....)or die(...);
$res= mysql_select_db(.....)or die(...);
?>
// We bear this file for limits server
<? #YourScript.php
require_once("YourPath/config.php");
// Your Code
?>

mindows
New php-forum User
New php-forum User
Posts: 4
Joined: Mon Feb 24, 2003 7:51 pm

Postby mindows » Tue Feb 25, 2003 5:43 am

Romantik wrote:

Code: Select all

<? # config.php
$dbName=  "dbName";
$dbUser=    "dbUser";
$dbPass=    "dbUserPass";
$dbServer=  "dbServer";

$dbh= mysql_connect(....)or die(...);
$res= mysql_select_db(.....)or die(...);
?>
// We bear this file for limits server
<? #YourScript.php
require_once("YourPath/config.php");
// Your Code
?>


don't you still have to have rx permissions on config.php in order for require to work?

User avatar
Oleg Butuzov
Last Samuray
Last Samuray
Posts: 831
Joined: Sun Jun 02, 2002 3:09 am

Postby Oleg Butuzov » Tue Feb 25, 2003 7:07 am

just do it... test it.

mindows
New php-forum User
New php-forum User
Posts: 4
Joined: Mon Feb 24, 2003 7:51 pm

Postby mindows » Tue Feb 25, 2003 7:58 am

Pejone wrote:just do it... test it.


i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.

User avatar
pootergeist
New php-forum User
New php-forum User
Posts: 191
Joined: Wed Jan 29, 2003 7:11 am
Location: UK
Contact:

Postby pootergeist » Tue Feb 25, 2003 2:45 pm

you probably just want to put it beyond public access and sling a .htaccess in the folder to assure calling headers included your domain as the request_uri

mindows
New php-forum User
New php-forum User
Posts: 4
Joined: Mon Feb 24, 2003 7:51 pm

Postby mindows » Tue Feb 25, 2003 3:16 pm

pootergeist wrote:you probably just want to put it beyond public access and sling a .htaccess in the folder to assure calling headers included your domain as the request_uri



ok. I use a php hosting service that hosts about 30 some php sites on a linux machine. I can't just rely on some honor system where other acounts on the same linux machine won't look at my config.php. I just did a quick grep on a machine and found a bunch of mysql_connect statements. This is very disappointing.

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Postby Redcircle » Tue Feb 25, 2003 6:47 pm

on a shared server there is really not much you can do.

User avatar
Oleg Butuzov
Last Samuray
Last Samuray
Posts: 831
Joined: Sun Jun 02, 2002 3:09 am

Postby Oleg Butuzov » Tue Feb 25, 2003 10:40 pm

mindows wrote:i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.


1) Who is nike?
2) Anyone can read vars from script if thay using your server...

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Postby Redcircle » Wed Feb 26, 2003 12:57 am

amallah wrote:So, if you run a web hosting service, pretty much security is down the drain? Are we saying that PHP is not meant for professional hosting then? If I have a database of user credit card numbers, then it's pretty much a free for all if you can get any type of access to the box?


It all depends on how the server has thier configuration. Most systems it is secure enough to make it difficult for people to get into and have resrictions from people accessing scripts cross domain. What I would do for your config.inc.php is make a dir behind the public_html. The only thing is no system is hacker proof. Credit Cards should NEVER be stored on a shared server. no exceptions.

**TVH*
New php-forum User
New php-forum User
Posts: 3
Joined: Wed Oct 02, 2002 6:18 am
Location: Vietnam
Contact:

Postby **TVH* » Sun Mar 09, 2003 8:38 am

mindows wrote:
Pejone wrote:just do it... test it.


i know the above code works, nike. my problem is that *anyone* on that system can read the config.php file.


PHP provide a lots of encrypt function, use it to protect your database info.


Return to “mySQL & php coding”

Who is online

Users browsing this forum: No registered users and 1 guest