Page 1 of 1

Database password security using mysql_connect

Posted: Tue Jun 09, 2009 7:45 am
by streambuffer
Hello,
I'm quite new to PHP and have a basic idea of SQL...creating/modifying tables etc.
Here's what i'd like to know.
I have two pages - search.html and search.php. I also have an SQL database on which I want to perform searches using the textfield and submit button on the search.html page. Now, you obviously know I would connect to my database using the search.php page with the following code:

Code: Select all

 
<?php
$con = mysql_connect("localhost","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
 
// some code
?>
 
Of course this is the code for when I'm on localhost and all the files and the databases are on my PC. The actual question here is that when I upload the search.html and the search.php to the webserver online, will someone be able to get access to the search.php page and see my database username and password in it within $con = mysql_connect("localhost","username","password") ?

If yes then how do I make sure my DB password and username remain safe? Afterall, the search.php file has to be out there online with that code in it and someone could gain access to my database using those details.

Below are the contents of my search.html file:

Code: Select all

 
<form method="post" action="Search.php">
Search Database:
<input type="Text" name="Search" size="20" maxlength="30">
<input type="Submit" name="submit" value="Search">
</form>
 
I'm also using $_POST in my search.php page.

Thank you for any help guys. I'm not really a pro but I do understand most things.

Re: Database password security using mysql_connect

Posted: Tue Jun 09, 2009 8:57 am
by Paul Arnold
They shouldn't be able to as PHP is run server side before the code that's sent to the user's browser.

However, for greater security, put the connection code into another file and store that in a folder that's not accessible from the web and call it as an include.

eg:

Code: Select all

<?PHP include('../../connection.php'); ?>

Re: Database password security using mysql_connect

Posted: Tue Jun 09, 2009 9:43 am
by streambuffer
blimey! That was good.
Thanks Paul :D

Re: Database password security using mysql_connect

Posted: Tue Jun 09, 2009 12:59 pm
by kaisellgren
streambuffer wrote:will someone be able to get access to the search.php page and see my database username and password
Yes if there is a security hole in your application, otherwise, no.

Re: Database password security using mysql_connect

Posted: Tue Jun 09, 2009 10:19 pm
by streambuffer
Hmm....what kind of security hole could there be? I'm considering Paul's advice above and putting the connection data in another folder. Would it help if I made that folder 'secure'? I'm not sure how though. What if I put a .htaccess file in there with some login/password in it? But in that case, the include function in the search.php won't be able to access the connection data stored in that separate connection.php file which I would be putting in the secured folder. I don't know if I'm paranoid lol.

Re: Database password security using mysql_connect

Posted: Wed Jun 10, 2009 3:24 am
by Paul Arnold
It's best to be paranoid when it comes to security.
If you put the file in a folder that's not web accessible (eg: above htdocs or public_html) it can't be accessed directly.
I've known cases where php has been disabled on the server so the code has been parsed as text rather than executed as php and revealed to the public but if it's not web accessible this won't happen.

Re: Database password security using mysql_connect

Posted: Wed Jun 10, 2009 6:00 am
by kaisellgren
Just place the config file outside of the document root and there is nothing else you should do. If an intruder gets in your system, usually he will access the config file no matter what kind of protections you have applied.