Page 1 of 1

Database Security

Posted: Wed Aug 23, 2006 9:08 am
by ngungo
I quote from here: http://www.si.umich.edu/SICOMPOLD/howto ... curity.php
PHP-MySQL Security
As far as security goes it might be a good idea to pull your password out of your script. This can be done fairly easily.

I would recommend creating a "data" directory with a 'data.php' file in it. The contents of data.php would be something like this:


<?php
$username='jlockard';
$password='my_password';
$servername='sqldb.si.umich.edu';
?>


in the data directory you'd have a .htaccess file that contained:


<FILESMATCH "\.php$">
order deny,allow
deny from all
</FILESMATCH>


Then, in your regular php scripts, you'd do something like this:


<?php
include("data/data.php");
$db = mysql_connect($servername, $username, $password) or die("Could not connect: " . mysql_error());
mysql_select_db($username, $db);

.... etc ...
?>
Is this a secured method? Any other suggestion? Thanks!!!

Posted: Wed Aug 23, 2006 9:32 am
by feyd
It adds a razor thin layer of security, and I do mean razor thin. If php is executing properly and the files are named correctly, The username, et al, couldn't be pulled from off server. This protection does not prevent someone on the server from getting the files.

Posted: Wed Aug 23, 2006 10:14 am
by ngungo
feyd wrote:It adds a razor thin layer of security, and I do mean razor thin. If php is executing properly and the files are named correctly, The username, et al, couldn't be pulled from off server. This protection does not prevent someone on the server from getting the files.
Thanks feyd,
Please explain "off server" vs "on server" people. Can you guild me to a better way?

Posted: Wed Aug 23, 2006 10:35 am
by feyd
off server = something remote to the server, not physically on the server.
on server = something on the server.