PHP security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
zed
Forum Newbie
Posts: 2
Joined: Wed Jul 03, 2002 8:01 am

PHP security

Post by zed »

I'm thinking about learning PHP. Last night, something started bothering me about it. Let's say that I am writing a login script for visitors to access my site. The script connects to a mysql database with its name and password. If I am a malicious user, can I just download the login.php file and obtain all of the PHP code, including the name and password of my database? How do PHP files transfer when you do a 'Save Target As.'

Mike
User avatar
martin
Forum Commoner
Posts: 33
Joined: Fri Jun 28, 2002 12:59 pm
Location: Cambridgeshire

Post by martin »

I understand there are many concerns when learning to code php but the more you learn the clearer all will be. You can't download a php file unless someone wants you to or their server is not setup for php. This page is a .php script, look at the source and all you will see is the html.
Have some faith that the vast number of php coders out there would not be using it if it was a problem.
Good luck with your coding and remember to make good use of this forum.
Regards
Martin
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

They'll be parsed by the server (if it's set up to parse .php files as php) and all the nasty person will get is whatever the output of the page would have been if they had just clicked on the link as normal. So they won't get your username as password that way.

To test this out just save target as a page in this forum and check out what you get.

Mac

:roll: oops, too slow, thought I'd leave this up for reassurance though
zed
Forum Newbie
Posts: 2
Joined: Wed Jul 03, 2002 8:01 am

Post by zed »

Sounds good. As long as it is automatically parsed by the server, it sounds good to me.

Much obliged.

Mike
Post Reply