Page 1 of 1
Newbie question- mysql_connect() and password
Posted: Tue Dec 27, 2005 4:40 pm
by dprok
Hi, I'm new to php and am learning to use it with mysql to create a db driven site. My question is, when you use the mysql_connect () function and pass host, username and password, within it, how do you keep users from seeing this information if they choose to "view code"? I'm a bit confused about this.
Is there a command I'm missing that automatically hides or encodes the information, so it can't be viewed, or is it something that's handled by the server once I move the site to a host?
Right now, I'm running php and mysql on my own system using IIS, so there's no reason for it to be secret, but when I post the pages to an active host, it would be nice if I could trust that nobody could see the database username and password- right!
Thanks for your help.
Posted: Tue Dec 27, 2005 6:09 pm
by DeprecatedDiva
Hi, I'm new to php and am learning to use it with mysql to create a db driven site. My question is, when you use the mysql_connect () function and pass host, username and password, within it, how do you keep users from seeing this information if they choose to "view code"? I'm a bit confused about this.
When I first started, I had this same question. PHP is server-side scripting and, unless there is a problem with your code, will never be visible when the client views source. I've only been coding PHP for two months now and tested this several times and it does work.
For better security, I've learned how to store my connection data outside my web.
Is there a command I'm missing that automatically hides or encodes the information, so it can't be viewed, or is it something that's handled by the server once I move the site to a host?
Not that I know of.
Right now, I'm running php and mysql on my own system using IIS, so there's no reason for it to be secret, but when I post the pages to an active host, it would be nice if I could trust that nobody could see the database username and password- right!
I dumped IIS and set up an apache/mysql/php server on my winxp system. I matched my phpinfo to my webhost's, then went back and adjusted my php to be more strict. Even though I am not running a public server, I am operating as if my website were live to hopefully weed out the worst of the bugs before I go live with it on my host's server.

I am adding: this includes trying to "hack" into my server using various "attacks" after I build a form to ensure it is as safe as I can make it.
Posted: Tue Dec 27, 2005 8:36 pm
by dprok
DeprecatedDiva,
Cool, I'll check it out too. Thanks for your help. That's exactly what I'm trying to do on this IIS system. I haven't had any major problems with it so far.
Posted: Tue Dec 27, 2005 8:55 pm
by RobertGonzalez
There are plenty of threads around these forums about keeping configuration data file in a folder above the root of your web site and including that using the server path of the file. As long as you wrap your connection details in PHP code (ie, <?php and ?>) the server will parse them through the PHP engine and the user will never see them. The user will only see the HTML that is output by your script.
Does this mean that your connection details are secure this way? No, but if your database server is named localhost, that makes it a little more difficult to crack into it if someone does come across your details. Also, stay away from db connection data files named config or dbconnect or some other easily guessable name. This is just a good programming tactic.
Posted: Wed Dec 28, 2005 8:30 am
by dprok
Thanks Everah. Excellent tips, and I am aware of the file separation security recommendations. I just didn't put my thinking cap on and make the connection with server-side operations and client-side output. Duh. It makes perfect sense now. Thanks again.