Database password security using mysql_connect

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
streambuffer
Forum Newbie
Posts: 4
Joined: Tue Jun 09, 2009 7:20 am

Database password security using mysql_connect

Post by streambuffer »

Hello,
I'm quite new to PHP and have a basic idea of SQL...creating/modifying tables etc.
Here's what i'd like to know.
I have two pages - search.html and search.php. I also have an SQL database on which I want to perform searches using the textfield and submit button on the search.html page. Now, you obviously know I would connect to my database using the search.php page with the following code:

Code: Select all

 
<?php
$con = mysql_connect("localhost","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
 
// some code
?>
 
Of course this is the code for when I'm on localhost and all the files and the databases are on my PC. The actual question here is that when I upload the search.html and the search.php to the webserver online, will someone be able to get access to the search.php page and see my database username and password in it within $con = mysql_connect("localhost","username","password") ?

If yes then how do I make sure my DB password and username remain safe? Afterall, the search.php file has to be out there online with that code in it and someone could gain access to my database using those details.

Below are the contents of my search.html file:

Code: Select all

 
<form method="post" action="Search.php">
Search Database:
<input type="Text" name="Search" size="20" maxlength="30">
<input type="Submit" name="submit" value="Search">
</form>
 
I'm also using $_POST in my search.php page.

Thank you for any help guys. I'm not really a pro but I do understand most things.
Last edited by Benjamin on Tue Jun 09, 2009 11:52 am, edited 1 time in total.
Reason: Added [code=php] tags.
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: Database password security using mysql_connect

Post by Paul Arnold »

They shouldn't be able to as PHP is run server side before the code that's sent to the user's browser.

However, for greater security, put the connection code into another file and store that in a folder that's not accessible from the web and call it as an include.

eg:

Code: Select all

<?PHP include('../../connection.php'); ?>
streambuffer
Forum Newbie
Posts: 4
Joined: Tue Jun 09, 2009 7:20 am

Re: Database password security using mysql_connect

Post by streambuffer »

blimey! That was good.
Thanks Paul :D
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Database password security using mysql_connect

Post by kaisellgren »

streambuffer wrote:will someone be able to get access to the search.php page and see my database username and password
Yes if there is a security hole in your application, otherwise, no.
streambuffer
Forum Newbie
Posts: 4
Joined: Tue Jun 09, 2009 7:20 am

Re: Database password security using mysql_connect

Post by streambuffer »

Hmm....what kind of security hole could there be? I'm considering Paul's advice above and putting the connection data in another folder. Would it help if I made that folder 'secure'? I'm not sure how though. What if I put a .htaccess file in there with some login/password in it? But in that case, the include function in the search.php won't be able to access the connection data stored in that separate connection.php file which I would be putting in the secured folder. I don't know if I'm paranoid lol.
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: Database password security using mysql_connect

Post by Paul Arnold »

It's best to be paranoid when it comes to security.
If you put the file in a folder that's not web accessible (eg: above htdocs or public_html) it can't be accessed directly.
I've known cases where php has been disabled on the server so the code has been parsed as text rather than executed as php and revealed to the public but if it's not web accessible this won't happen.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Database password security using mysql_connect

Post by kaisellgren »

Just place the config file outside of the document root and there is nothing else you should do. If an intruder gets in your system, usually he will access the config file no matter what kind of protections you have applied.
Post Reply