Page 1 of 1

Security in PHP scripts containing MySQL login info..

Posted: Thu Mar 06, 2003 2:31 pm
by gnaldrett
Hi there,

Still learning the art of PHP and looking for some guidance...

I have created a Content Management System for a site that I am working on - the whole site is based on dynamic content. The problem I have is that currently my database login info is in a file that I include in all scripts that require the database. It just holds a persistant connection with my username and password. I realise that this is not secure as this file is within a 'web' folder.

What is the most common solution to this kind of problem, is it a permission thing, or can the file be placed in a non-web folder and accessed from there?????...................

Any help would be great...

Regards,

Naz

Posted: Thu Mar 06, 2003 3:53 pm
by Sevengraff
most people just name the file config.php and include it like that, because a user cant get to the souce code of a .php file, but if you include it using include() or require() or whatever, its just the same as if it was called .txt

edit --

oh, and where is you website?

Posted: Thu Mar 06, 2003 6:40 pm
by McGruff
Put the dlid in a folder protected by .htaccess (deny from all).

Your scripts can still include it, but no-one can open it to get your server connection name & pass.

You might want also want to disable ftp access for this folder. I'm embarassed to say I'm a bit unclear about that one since any site I've worked has never used ftp downloads.

So how did I become a "programmer"? Well...