Include security - database username and password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Heavy
Forum Contributor
Posts: 478
Joined: Sun Sep 22, 2002 7:36 am
Location: Viksjöfors, Hälsingland, Sweden
Contact:

Include security - database username and password

Post by Heavy »

I would like to set up an include file that contains code to retrieve database username and password:

Code: Select all

<?php
//connect.php

include "db_auth.php";
// Establish database connection

$link = mysql_connect($_SERVER['SERVER_NAME'],DB_USER,DB_PASS);
mysql_select_db("db");

//blabla

?>

Code: Select all

<?php
//db_auth.php
define('DB_USER','secret_user_name"');
define('DB_PASS','secret_password"');
?>
Thus, connect.php would include db_auth.php to retrieve the constants defined therein.

Is this a major security flaw?

My own guess:
If the remote user can't gain soruce code access to the auth script, he can't read it.

My main question:
Can he include the auth script (across the web) into his crack script and se my constants there?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

if across the web means through the php-processor: no, since only the output is transmitted and your db_auth.php does not produce any output.
DeGauss
Forum Contributor
Posts: 105
Joined: Tue Oct 22, 2002 9:44 am
Location: Gainesville, FL

Post by DeGauss »

If it really bothers you, check that only users coming from LOCALHOST can use MySQL on your machine...

I don't actually know of anyone who uses any other host than localhost for running their MySQL database...
Post Reply