Where to hide mysql files?

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
mavera2
Forum Newbie
Posts: 8
Joined: Sat Sep 03, 2011 11:54 am

Where to hide mysql files?

Post by mavera2 »

I found a script in Google for user registration system.
It has 20 different files and also It has a "settings.php" file where my username and password of database is written.

My concern is about the place of the files.
Is it safe to put them "public_html" folder,
or should i hold the password file out of the "public_html" folder,
or should i totally put all script files out of "public_html"??

Thank you.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Where to hide mysql files?

Post by twinedev »

Depends on your environment and how the script is programmed.

Two main concerns come up:

1. can someone just browse to the file and see it
2. can someone who is on a shared server somehow see the code

So, if your server is set up correctly, they will by just browsing to it (http://www.domain.com/settings.php) will not give them the source code, so they won't see the connection information. But, it is also a good idea to add code to "included" files to prevent direct viewing. For debugging, I like seeing how long a script takes to run, so any script that should be called (directly browsed to), I start it with:

Code: Select all

<?php
    define('SCRIPT_START', microtime(TRUE));
    //now do any includes...
    require_once('settings.php');
    
    // rest of script...

    $run_time = microtime(TRUE) - SCRIPT_START;
    echo "\n\n<!-- Script Ran in ",$run_time," seconds -->\n";
?>
Then in settings.php (and all other scripts that will only be used via includes) at the very top:

Code: Select all

<?php
    if (!defined('SCRIPT_START')) { die('ERROR: Invalid direct call to script'); }

    // Rest of the script...
?>
Now, onto the issue of can another user on a shared hosting see it. This depends on the environment. On my server, I have cPanel installed, and the default setup for that keeps a script from accessing files outside the user directory. Not all hosts are set up that way, and if that is a case, doesn't matter if you put the script in public_html directory or not, as if YOUR script can read it, so can another users script. (or a hack shell if ends up on the server)

I used to keep things separated out, had public_html and a private_core. Now I just set up files properly, that way so easier to roll out to other server if needed.

-Greg
Post Reply