Page 1 of 1

include/require

Posted: Wed May 28, 2003 11:31 am
by Dave9191
Hi, I have a question about the include/require functions.

I am making a site that connects to a database on most pages. So naturally I don’t want to have put the database details into each page individually. So I have one page that has all the details and I include them into the other pages of the site.

But I have a question about the security of this method. Is it possible for someone from outside of the site (same server or different server) to be able to include that file into their own script if they know where it is and interact with my database? Or is this method safe? :) And if its not, what else can I do?

Thanx

Posted: Wed May 28, 2003 11:44 am
by mrvanjohnson
Depends on how you configure your MySQL database, connections and permissions. Personally, I only connect to MySQL database using localhost with a user who only has permissions to connect via localhost. With this method, only people local to your box could be a threat.

Even if you need to connect to another MySQL database across the network, you can configure it to only accept connections from a specific IP address, which would be you IP address.

Not sure how you can address a local threat on a shared box.

Posted: Wed May 28, 2003 11:59 am
by Dave9191
Unfortuanatly, I dont configure the database or the server. I use 2 hosts. One that has been provided for me by someone (profesional server) and lycos free hosting :)

What I am worried about is that someone who might know how my site is orgenised and has another account on lycos, could they be a potential threat ?

Posted: Wed May 28, 2003 1:11 pm
by volka
the abuser's script must be able to read the source code to call functions within the script. If you have a file like

Code: Select all

<?php
function connectmysql($database)
{
	return mysql_connect(....);
}
?>
one can call it via http, but it'll be parsed by the webserver/php, the output (to the client) only contains the output of the script, in this case: nothing. So this script is safe from outsiders, but if someone on the same host can read the script's file locally (i.e. the code, not only the output) the function might be used to connect to your database.
Therefor check the filepermissions and ask your provider how different accounts are separated from each other.

Posted: Thu May 29, 2003 6:29 pm
by Dave9191
Ah ha :D This sounds like a good plan, thank you :)

Its more secure than just having a php file that connects. And some fiddeling with folder access settings should be nice too.