Page 1 of 1

Include security - database username and password

Posted: Mon Feb 03, 2003 6:22 am
by Heavy
I would like to set up an include file that contains code to retrieve database username and password:

Code: Select all

<?php
//connect.php

include "db_auth.php";
// Establish database connection

$link = mysql_connect($_SERVER['SERVER_NAME'],DB_USER,DB_PASS);
mysql_select_db("db");

//blabla

?>

Code: Select all

<?php
//db_auth.php
define('DB_USER','secret_user_name"');
define('DB_PASS','secret_password"');
?>
Thus, connect.php would include db_auth.php to retrieve the constants defined therein.

Is this a major security flaw?

My own guess:
If the remote user can't gain soruce code access to the auth script, he can't read it.

My main question:
Can he include the auth script (across the web) into his crack script and se my constants there?

Posted: Mon Feb 03, 2003 6:47 am
by volka
if across the web means through the php-processor: no, since only the output is transmitted and your db_auth.php does not produce any output.

Posted: Mon Feb 03, 2003 7:47 am
by DeGauss
If it really bothers you, check that only users coming from LOCALHOST can use MySQL on your machine...

I don't actually know of anyone who uses any other host than localhost for running their MySQL database...