Include security - database username and password
Posted: Mon Feb 03, 2003 6:22 am
I would like to set up an include file that contains code to retrieve database username and password:
Thus, connect.php would include db_auth.php to retrieve the constants defined therein.
Is this a major security flaw?
My own guess:
If the remote user can't gain soruce code access to the auth script, he can't read it.
My main question:
Can he include the auth script (across the web) into his crack script and se my constants there?
Code: Select all
<?php
//connect.php
include "db_auth.php";
// Establish database connection
$link = mysql_connect($_SERVER['SERVER_NAME'],DB_USER,DB_PASS);
mysql_select_db("db");
//blabla
?>Code: Select all
<?php
//db_auth.php
define('DB_USER','secret_user_name"');
define('DB_PASS','secret_password"');
?>Is this a major security flaw?
My own guess:
If the remote user can't gain soruce code access to the auth script, he can't read it.
My main question:
Can he include the auth script (across the web) into his crack script and se my constants there?