Newbie programming questions... ???

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
poteus
Forum Newbie
Posts: 10
Joined: Sat Aug 04, 2007 12:24 pm

Newbie programming questions... ???

Post by poteus »

Hey, hello php developers...

I'm learning php/sql. I've been reading some tuts and trying to program my own little stuff with some degree of success. Now I am kind of stuck with some problems...

Where can I find info about how to declare my variables (passwd, login, server info, etc...) in a secure way. Is there any "tut" that worth to be read? The idea is making a little database php/mysql... :D
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

PHP declares variables automatically.

Eg.

Code: Select all

$username = $_POST['username']; // Posted from a form
...Already declared
Last edited by iknownothing on Sat Aug 04, 2007 1:02 pm, edited 1 time in total.
Begby
Forum Regular
Posts: 575
Joined: Wed Dec 13, 2006 10:28 am

Post by Begby »

That information needs to go in a file of some sort, there is no way around that. The best thing to do is to put the file with that in it outside of the web root and then include it.

Other than that just make sure that your web server and scripts are secure. There are many many easier ways of hacking a site than trying to get ahold of the database credentials.
poteus
Forum Newbie
Posts: 10
Joined: Sat Aug 04, 2007 12:24 pm

Post by poteus »

So global variables included in a file in a "secure" folder is "enough" protection?

I really don't think the hacking community is going to try to hack my database, but I dont want to leave any chances :/
Begby
Forum Regular
Posts: 575
Joined: Wed Dec 13, 2006 10:28 am

Post by Begby »

STOP! Don't use global variables. Global variables are evil.

If it is something that never changes, like login info, then use constants (see define()).

Or you can look into using a config class of some sort.
poteus
Forum Newbie
Posts: 10
Joined: Sat Aug 04, 2007 12:24 pm

Post by poteus »

Roger that!
Reading "define()"... thx :D
Begby
Forum Regular
Posts: 575
Joined: Wed Dec 13, 2006 10:28 am

Post by Begby »

poteus wrote:I really don't think the hacking community is going to try to hack my database, but I dont want to leave any chances :/
You never know. Its much better to be safe than sorry. Even if your site doesn't have much on it of value, it could still get hacked if it was an easy target. I am glad to see you are taking the safe route.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

poteus wrote:So global variables included in a file in a "secure" folder is "enough" protection?

I really don't think the hacking community is going to try to hack my database, but I dont want to leave any chances :/
If you don't want the data stored, the best you can do is hard-code the data into your functions. i.e., Your mysql_connect() would have all of the credentials written rather than stored in variables. Once you've declared it as a variable, it becomes stored in memory. I've no idea how anyone can access that, but better safe than sorry.
poteus
Forum Newbie
Posts: 10
Joined: Sat Aug 04, 2007 12:24 pm

Post by poteus »

This is what I have in my "included" file...

Code: Select all

function opendloa()
{
	$link1 = mysql_connect('please.com', 'log', 'me')
		or die('Could not connect: ' . mysql_error());
	return $link1;
}
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

In terms of keeping them unreadable, that is the best way to do it. If this is a distributed app, you can do things like parsing an INI file or making a class with privately scoped properties that are used then discarded after instantiation. But if it a stand alone app that only your server will take advantage of, there is no reason not to put the credentials into the database connection routine and include that site wide.
Post Reply