Page 1 of 1

Security connecting to database with PHP

Posted: Mon Jun 29, 2009 4:14 pm
by data2009
There is one thing that I don't understand about connecting to a database safely with PHP.

See example below:

Code: Select all

<?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
 
if (mysql_query("CREATE DATABASE my_db",$con))
  {
  echo "Database created";
  }
 
mysql_close($con);
?>
If I write down the password and username for connecting the database in PHP file, people can download my PHP file and find my username and password to my server. So this is not a safe way to connect to database. Isn't it?

What is the proper way to connect then (without letting people know my password and username)?
Thanks for your help.

Re: Security connecting to database with PHP

Posted: Mon Jun 29, 2009 5:45 pm
by requinix
data2009 wrote:people can download my PHP file
No, they can't.

I think it's just paranoia without actually understanding what's really going on, but many people advocate storing information like that in a file outside the web root (as in it's not contained in any file available through your website). For example, if your site is located at /home/data2009/public then you could put a config file at /home/data2009/private/config.php; this would have the usernames and passwords and such (perhaps as constants).

Re: Security connecting to database with PHP

Posted: Mon Jun 29, 2009 6:04 pm
by BornForCode
Or if you are crazy about security you may block any kind of attempt from web using a .htaccess file. I saw "smart" people making nice ini files and forgot to do that :mrgreen:

And remember nothing is 100% secure, for example someone may hack your host and in that moment you may say: "Houston we have a problem".

Re: Security connecting to database with PHP

Posted: Mon Jun 29, 2009 6:19 pm
by danielrs1
Usually people can't download PHP files. I think that's the right way.

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 5:36 am
by data2009
Seems like I'm worrying for nothing...
What's the normal way to connect to a database then? Could someone show me an example?

The way I described is really not safe. PHP files can easily be downloaded.

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 5:40 am
by BornForCode
You are using the correct way http://www.php.net/function.mysql-connect

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 5:48 am
by data2009
I know the code is correct, but I don't want people get my username and password by downloading my php file....

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 5:52 am
by BornForCode
Do not worry, if you don't create any apache problems nobody will see the source of your php files :).

What i said that is properly to deny access to the file using .htaccess is because it happened to me once, the hosting made some upgrades and everything was available to every people. The other solution is to put your config file outside www folder.

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 6:53 am
by data2009
I just know something about PHP programming. Can you explain me how .htaccess works? What do I need to do?
Regarding the config file. What config file? Will the site still run if I move it to another directory? No other modifications are required?

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 7:00 am
by BornForCode
Usually you store these kind of parameters into a dedicated file, called config.php because if you want to change something you don't want to browse all project to make the update.

Lets say for example you will make a file called config.inc.php the htaccess file should look:

Code: Select all

 
<Files config.inc.php>
  order allow,deny
  deny from all
</Files>
 

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 7:13 am
by data2009
Can you explain the codes between the brackets? first allow then deny and deny from all?!
Do I need to specify all php files in the config.php file whether they are allowed?

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 7:18 am
by BornForCode
The code is available only for the specified file, you create a fille '.htaccess' and put the code inside. The code is blocking web access to the file, but allows accessing internally in your scripts.

Re: Security connecting to database with PHP

Posted: Tue Jun 30, 2009 7:24 am
by data2009
What does this mean then?
order allow,deny
deny from all