Reputation: 651
Secure MYSQL connection details
Just wanted a little bit of advice on this. Is it possible to view PHP source code in a browser. I'm thinking it's not. But wanted to make sure that my connections details, for example:
include ("connection.php");
$con = mysql_connect("$host","$db_name","$db_user, $db_pass");
can't be called and viewed by anyone with a browser.
If I .htaccess the connection.php file does this just mean that you can't access the file using ftp, but that any script calling the include() file will still work?
Hope that makes sense. All I'm trying to make sure is that my passwords for database connections will be secure. Any advice would be very helpful.
Upvotes: 1
Views: 231
Answers (5)
Reputation: 72642
There are several ways to leak you PHP code through a browser, among others:
- Misconfigured server (so that php file don't get parsed)
- Making backup files by appending an extension: e.g. secretfile.php.bak
- Also it might be possible that an attacker get to a file by doing:
http://example.com/../../../etc/passwd - Not really a way to get into php files, but another common way to get info is through SQL Injection. (I see you are using
mysql_*-> please stop using it):
Please stop writing new code with the ancient
mysql_*functions. They are no longer maintained and community has begun the deprecation process . Instead you should learn about prepared statements and use either PDO or MySQLi. If you cannot decide, this article will help to choose. If you care to learn, here is a quite good PDO-related tutorial.
It is considered good practice to keep all php files outside the document root and only keep a bootstrap file in your document root.
Another thing you should setup you database to only accept connections from localhost when possible.
Upvotes: 5
Reputation: 7785
It is NOT possible to view PHP code. But it may be possible to manipulate your application somehow. So, what you can do to be twice secured, include a file with the connection data in it from a path outside of your public hierarchy, for example:
/home/public_html/index.php <= your website
http://yoururl.org gets to public_html => index.php
/home/files/connectionData.php <= file to store your files
Upvotes: 0
Reputation: 55922
My advice would be to create one config file with all your sensitive data in it. Make sure this file is located outside of your server root.
Upvotes: 1
Reputation: 34135
NO. You can't see Server Side(PHP) code in browser, unless something is wrong in your server config.
So relax & stop worrying about someone stealing your db username & password from "view source" in browser. That's ain't happening
Upvotes: 1
Reputation: 13257
No, no one can view your PHP code (unless they have somehow gained access to your server via FTP, SSH...)
Upvotes: 0
Related Questions
- Securely Connected to MySQL DB via PHP
- Secure way to connect to a MySQL database
- Store MySQL connection data in a secure way
- How can I better secure my database connection
- Securing php to database comms
- How can I use PHP to make secure calls to MySQL Databases?
- Php database connection security check
- How to establish a secure connection with MySQL/PHP
- How to store db connect information is secure?
- Where is the most secure place to put MySQL connection details for PHP