Security connecting to database with PHP

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
data2009
Forum Newbie
Posts: 9
Joined: Mon Jun 29, 2009 4:05 pm

Security connecting to database with PHP

Post by data2009 »

There is one thing that I don't understand about connecting to a database safely with PHP.

See example below:

Code: Select all

<?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
 
if (mysql_query("CREATE DATABASE my_db",$con))
  {
  echo "Database created";
  }
 
mysql_close($con);
?>
If I write down the password and username for connecting the database in PHP file, people can download my PHP file and find my username and password to my server. So this is not a safe way to connect to database. Isn't it?

What is the proper way to connect then (without letting people know my password and username)?
Thanks for your help.
Last edited by Benjamin on Mon Jun 29, 2009 11:21 pm, edited 1 time in total.
Reason: Changed code type from text to php.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Security connecting to database with PHP

Post by requinix »

data2009 wrote:people can download my PHP file
No, they can't.

I think it's just paranoia without actually understanding what's really going on, but many people advocate storing information like that in a file outside the web root (as in it's not contained in any file available through your website). For example, if your site is located at /home/data2009/public then you could put a config file at /home/data2009/private/config.php; this would have the usernames and passwords and such (perhaps as constants).
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Security connecting to database with PHP

Post by BornForCode »

Or if you are crazy about security you may block any kind of attempt from web using a .htaccess file. I saw "smart" people making nice ini files and forgot to do that :mrgreen:

And remember nothing is 100% secure, for example someone may hack your host and in that moment you may say: "Houston we have a problem".
danielrs1
Forum Commoner
Posts: 29
Joined: Wed Jun 24, 2009 5:30 pm

Re: Security connecting to database with PHP

Post by danielrs1 »

Usually people can't download PHP files. I think that's the right way.
data2009
Forum Newbie
Posts: 9
Joined: Mon Jun 29, 2009 4:05 pm

Re: Security connecting to database with PHP

Post by data2009 »

Seems like I'm worrying for nothing...
What's the normal way to connect to a database then? Could someone show me an example?

The way I described is really not safe. PHP files can easily be downloaded.
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Security connecting to database with PHP

Post by BornForCode »

You are using the correct way http://www.php.net/function.mysql-connect
data2009
Forum Newbie
Posts: 9
Joined: Mon Jun 29, 2009 4:05 pm

Re: Security connecting to database with PHP

Post by data2009 »

I know the code is correct, but I don't want people get my username and password by downloading my php file....
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Security connecting to database with PHP

Post by BornForCode »

Do not worry, if you don't create any apache problems nobody will see the source of your php files :).

What i said that is properly to deny access to the file using .htaccess is because it happened to me once, the hosting made some upgrades and everything was available to every people. The other solution is to put your config file outside www folder.
data2009
Forum Newbie
Posts: 9
Joined: Mon Jun 29, 2009 4:05 pm

Re: Security connecting to database with PHP

Post by data2009 »

I just know something about PHP programming. Can you explain me how .htaccess works? What do I need to do?
Regarding the config file. What config file? Will the site still run if I move it to another directory? No other modifications are required?
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Security connecting to database with PHP

Post by BornForCode »

Usually you store these kind of parameters into a dedicated file, called config.php because if you want to change something you don't want to browse all project to make the update.

Lets say for example you will make a file called config.inc.php the htaccess file should look:

Code: Select all

 
<Files config.inc.php>
  order allow,deny
  deny from all
</Files>
 
data2009
Forum Newbie
Posts: 9
Joined: Mon Jun 29, 2009 4:05 pm

Re: Security connecting to database with PHP

Post by data2009 »

Can you explain the codes between the brackets? first allow then deny and deny from all?!
Do I need to specify all php files in the config.php file whether they are allowed?
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: Security connecting to database with PHP

Post by BornForCode »

The code is available only for the specified file, you create a fille '.htaccess' and put the code inside. The code is blocking web access to the file, but allows accessing internally in your scripts.
data2009
Forum Newbie
Posts: 9
Joined: Mon Jun 29, 2009 4:05 pm

Re: Security connecting to database with PHP

Post by data2009 »

What does this mean then?
order allow,deny
deny from all
Post Reply