Database Security

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Database Security

Post by ngungo »

I quote from here: http://www.si.umich.edu/SICOMPOLD/howto ... curity.php
PHP-MySQL Security
As far as security goes it might be a good idea to pull your password out of your script. This can be done fairly easily.

I would recommend creating a "data" directory with a 'data.php' file in it. The contents of data.php would be something like this:


<?php
$username='jlockard';
$password='my_password';
$servername='sqldb.si.umich.edu';
?>


in the data directory you'd have a .htaccess file that contained:


<FILESMATCH "\.php$">
order deny,allow
deny from all
</FILESMATCH>


Then, in your regular php scripts, you'd do something like this:


<?php
include("data/data.php");
$db = mysql_connect($servername, $username, $password) or die("Could not connect: " . mysql_error());
mysql_select_db($username, $db);

.... etc ...
?>
Is this a secured method? Any other suggestion? Thanks!!!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It adds a razor thin layer of security, and I do mean razor thin. If php is executing properly and the files are named correctly, The username, et al, couldn't be pulled from off server. This protection does not prevent someone on the server from getting the files.
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

feyd wrote:It adds a razor thin layer of security, and I do mean razor thin. If php is executing properly and the files are named correctly, The username, et al, couldn't be pulled from off server. This protection does not prevent someone on the server from getting the files.
Thanks feyd,
Please explain "off server" vs "on server" people. Can you guild me to a better way?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

off server = something remote to the server, not physically on the server.
on server = something on the server.
Post Reply