Hello,
apologies if this has been done to death before, but is it common practice to store your mySQL database details (hostname, database name, login and password) in a php file outside of the root? Seems a bit insecure, but I suppose what else can you do, and how would someone actually get the data from the file?
where to put mySQL login data
Moderator: General Moderators
-
bobthebuilder
- Forum Commoner
- Posts: 32
- Joined: Tue Mar 22, 2011 5:06 pm
Re: where to put mySQL login data
One way or another you'll have to put your sql details in some .php file. Putting it somewhere outside the document root isn't necessarily secure or insecure. Well, to a certain extent it's more secure than putting it inside the document root, but it mainly boils down to other security measurements:
- Avoid error messages containing your login details (or SQL queries) being displayed to the visitor. What will happen if your SQL server happens to be down, does your site show an error like "SQL error: function call mysql_connect(joe,Pa$sWoRd) failed" or something?
- Avoid user-input dependent page selection vulnerabilities that would allow them to "visit" your sensitive .php file. For example if your site works with a &page=xxx URL scheme which would include xxx.php (or even output it like a template), don't just include whatever argument they submit, but verify it to avoid them opening &page=../private_folder/sql_password.php
- Avoid error messages containing your login details (or SQL queries) being displayed to the visitor. What will happen if your SQL server happens to be down, does your site show an error like "SQL error: function call mysql_connect(joe,Pa$sWoRd) failed" or something?
- Avoid user-input dependent page selection vulnerabilities that would allow them to "visit" your sensitive .php file. For example if your site works with a &page=xxx URL scheme which would include xxx.php (or even output it like a template), don't just include whatever argument they submit, but verify it to avoid them opening &page=../private_folder/sql_password.php
-
bobthebuilder
- Forum Commoner
- Posts: 32
- Joined: Tue Mar 22, 2011 5:06 pm
Re: where to put mySQL login data
Thanks for the input Apollo. You got me thinking, and by setting the wrong password for example, the output
is there for everyone to see. In addition to being unsightly, this is giving a little bit of information away. Is there a way of preventing these messages from being displayed?
Code: Select all
Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'bob'@'localhost' (using password: YES) in C:\web\webplus_php\sql_test.php on line 21- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: where to put mySQL login data
You can use the error control operator ( @ )
That will stop the error message received (if no connection can be made) but you will also have to deal with the error and let the user know about the problem.
Code: Select all
<?php
$connectionResource = @mysql_connect('host', 'user', 'pass');
if ($connection)
{
echo 'No connection to server';
}
?>“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
-
bobthebuilder
- Forum Commoner
- Posts: 32
- Joined: Tue Mar 22, 2011 5:06 pm
Re: where to put mySQL login data
Thanks social_experiment, I shall use the @ operator in conjunction with some error reporting.