PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I'm learning php/sql. I've been reading some tuts and trying to program my own little stuff with some degree of success. Now I am kind of stuck with some problems...
Where can I find info about how to declare my variables (passwd, login, server info, etc...) in a secure way. Is there any "tut" that worth to be read? The idea is making a little database php/mysql...
That information needs to go in a file of some sort, there is no way around that. The best thing to do is to put the file with that in it outside of the web root and then include it.
Other than that just make sure that your web server and scripts are secure. There are many many easier ways of hacking a site than trying to get ahold of the database credentials.
poteus wrote:I really don't think the hacking community is going to try to hack my database, but I dont want to leave any chances :/
You never know. Its much better to be safe than sorry. Even if your site doesn't have much on it of value, it could still get hacked if it was an easy target. I am glad to see you are taking the safe route.
poteus wrote:So global variables included in a file in a "secure" folder is "enough" protection?
I really don't think the hacking community is going to try to hack my database, but I dont want to leave any chances :/
If you don't want the data stored, the best you can do is hard-code the data into your functions. i.e., Your mysql_connect() would have all of the credentials written rather than stored in variables. Once you've declared it as a variable, it becomes stored in memory. I've no idea how anyone can access that, but better safe than sorry.
In terms of keeping them unreadable, that is the best way to do it. If this is a distributed app, you can do things like parsing an INI file or making a class with privately scoped properties that are used then discarded after instantiation. But if it a stand alone app that only your server will take advantage of, there is no reason not to put the credentials into the database connection routine and include that site wide.