Newbie question- mysql_connect() and password

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dprok
Forum Newbie
Posts: 3
Joined: Tue Dec 27, 2005 4:31 pm

Newbie question- mysql_connect() and password

Post by dprok »

Hi, I'm new to php and am learning to use it with mysql to create a db driven site. My question is, when you use the mysql_connect () function and pass host, username and password, within it, how do you keep users from seeing this information if they choose to "view code"? I'm a bit confused about this.

Is there a command I'm missing that automatically hides or encodes the information, so it can't be viewed, or is it something that's handled by the server once I move the site to a host?

Right now, I'm running php and mysql on my own system using IIS, so there's no reason for it to be secret, but when I post the pages to an active host, it would be nice if I could trust that nobody could see the database username and password- right!

Thanks for your help.
DeprecatedDiva
Forum Newbie
Posts: 24
Joined: Wed Aug 03, 2005 10:47 am
Location: NW Louisiana

Post by DeprecatedDiva »

Hi, I'm new to php and am learning to use it with mysql to create a db driven site. My question is, when you use the mysql_connect () function and pass host, username and password, within it, how do you keep users from seeing this information if they choose to "view code"? I'm a bit confused about this.
When I first started, I had this same question. PHP is server-side scripting and, unless there is a problem with your code, will never be visible when the client views source. I've only been coding PHP for two months now and tested this several times and it does work.

For better security, I've learned how to store my connection data outside my web.
Is there a command I'm missing that automatically hides or encodes the information, so it can't be viewed, or is it something that's handled by the server once I move the site to a host?
Not that I know of.
Right now, I'm running php and mysql on my own system using IIS, so there's no reason for it to be secret, but when I post the pages to an active host, it would be nice if I could trust that nobody could see the database username and password- right!
I dumped IIS and set up an apache/mysql/php server on my winxp system. I matched my phpinfo to my webhost's, then went back and adjusted my php to be more strict. Even though I am not running a public server, I am operating as if my website were live to hopefully weed out the worst of the bugs before I go live with it on my host's server. :) I am adding: this includes trying to "hack" into my server using various "attacks" after I build a form to ensure it is as safe as I can make it.
dprok
Forum Newbie
Posts: 3
Joined: Tue Dec 27, 2005 4:31 pm

Post by dprok »

DeprecatedDiva,

Cool, I'll check it out too. Thanks for your help. That's exactly what I'm trying to do on this IIS system. I haven't had any major problems with it so far.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

There are plenty of threads around these forums about keeping configuration data file in a folder above the root of your web site and including that using the server path of the file. As long as you wrap your connection details in PHP code (ie, <?php and ?>) the server will parse them through the PHP engine and the user will never see them. The user will only see the HTML that is output by your script.

Does this mean that your connection details are secure this way? No, but if your database server is named localhost, that makes it a little more difficult to crack into it if someone does come across your details. Also, stay away from db connection data files named config or dbconnect or some other easily guessable name. This is just a good programming tactic.
dprok
Forum Newbie
Posts: 3
Joined: Tue Dec 27, 2005 4:31 pm

Post by dprok »

Thanks Everah. Excellent tips, and I am aware of the file separation security recommendations. I just didn't put my thinking cap on and make the connection with server-side operations and client-side output. Duh. It makes perfect sense now. Thanks again.
Post Reply