Page 1 of 1
Newbie programming questions... ???
Posted: Sat Aug 04, 2007 12:57 pm
by poteus
Hey, hello php developers...
I'm learning php/sql. I've been reading some tuts and trying to program my own little stuff with some degree of success. Now I am kind of stuck with some problems...
Where can I find info about how to declare my variables (passwd, login, server info, etc...) in a secure way. Is there any "tut" that worth to be read? The idea is making a little database php/mysql...

Posted: Sat Aug 04, 2007 1:01 pm
by iknownothing
PHP declares variables automatically.
Eg.
Code: Select all
$username = $_POST['username']; // Posted from a form
...Already declared
Posted: Sat Aug 04, 2007 1:01 pm
by Begby
That information needs to go in a file of some sort, there is no way around that. The best thing to do is to put the file with that in it outside of the web root and then include it.
Other than that just make sure that your web server and scripts are secure. There are many many easier ways of hacking a site than trying to get ahold of the database credentials.
Posted: Sat Aug 04, 2007 1:04 pm
by poteus
So global variables included in a file in a "secure" folder is "enough" protection?
I really don't think the hacking community is going to try to hack my database, but I dont want to leave any chances :/
Posted: Sat Aug 04, 2007 1:06 pm
by Begby
STOP! Don't use global variables. Global variables are evil.
If it is something that never changes, like login info, then use constants (see define()).
Or you can look into using a config class of some sort.
Posted: Sat Aug 04, 2007 1:08 pm
by poteus
Roger that!
Reading "define()"... thx

Posted: Sat Aug 04, 2007 1:08 pm
by Begby
poteus wrote:I really don't think the hacking community is going to try to hack my database, but I dont want to leave any chances :/
You never know. Its much better to be safe than sorry. Even if your site doesn't have much on it of value, it could still get hacked if it was an easy target. I am glad to see you are taking the safe route.
Posted: Sat Aug 04, 2007 1:16 pm
by superdezign
poteus wrote:So global variables included in a file in a "secure" folder is "enough" protection?
I really don't think the hacking community is going to try to hack my database, but I dont want to leave any chances :/
If you don't want the data stored, the best you can do is hard-code the data into your functions. i.e., Your mysql_connect() would have all of the credentials written rather than stored in variables. Once you've declared it as a variable, it becomes stored in memory. I've no idea how anyone can access that, but better safe than sorry.
Posted: Sat Aug 04, 2007 1:45 pm
by poteus
This is what I have in my "included" file...
Code: Select all
function opendloa()
{
$link1 = mysql_connect('please.com', 'log', 'me')
or die('Could not connect: ' . mysql_error());
return $link1;
}
Posted: Sat Aug 04, 2007 10:44 pm
by RobertGonzalez
In terms of keeping them unreadable, that is the best way to do it. If this is a distributed app, you can do things like parsing an INI file or making a class with privately scoped properties that are used then discarded after instantiation. But if it a stand alone app that only your server will take advantage of, there is no reason not to put the credentials into the database connection routine and include that site wide.