connect to database as a function
Posted: Tue Nov 01, 2011 2:04 pm
Hi all,
Please forgive my noobeeness, but I'm quite new to php and very new to php security.
I've just got my foundation's database to the point where it's beginning to be useful, so I'd like to start connecting it to the rest of our website, which is why I'm now on a self-study security crash course.
The first thing I read was to remove any database login information from pages that are in non-protected directories. So, I created a directory for php scripts and protected it with a .htaccess password.
Then I made a new php file called functions.php in that directory, and created a function that logs into the database. Now instead of logging into the database from php files in my website root directory, I include my functions.php file, and call the login function.
So, there I was feeling pretty pleased with myself, when it suddenly occurred to me that I was really no more secure than before. If a hacker can somehow get access to the php code in the website root directory, it will be quite obvious that a call to login() will gain access to the database, just as easily as having the password.
So my question is: should I simply make the function name less obvious, or am I going about this completely the wrong way?
Thanks in advance for any suggestions.
Please forgive my noobeeness, but I'm quite new to php and very new to php security.
I've just got my foundation's database to the point where it's beginning to be useful, so I'd like to start connecting it to the rest of our website, which is why I'm now on a self-study security crash course.
The first thing I read was to remove any database login information from pages that are in non-protected directories. So, I created a directory for php scripts and protected it with a .htaccess password.
Then I made a new php file called functions.php in that directory, and created a function that logs into the database. Now instead of logging into the database from php files in my website root directory, I include my functions.php file, and call the login function.
So, there I was feeling pretty pleased with myself, when it suddenly occurred to me that I was really no more secure than before. If a hacker can somehow get access to the php code in the website root directory, it will be quite obvious that a call to login() will gain access to the database, just as easily as having the password.
So my question is: should I simply make the function name less obvious, or am I going about this completely the wrong way?
Thanks in advance for any suggestions.