Need a class for creating a database connection php with mysqli

Question

I need to create a class for connection to the DB. I know that hardcoding DB info is bad such as:

$user = "xxx";
$password = "yyy";
$server = "zzz";
$dbname = "name";

mysql_connect($user,$password,$server);
mysql_select_db($dbname);

That's why i use "include" such as:

include "config.php" 

which contains all the needed variables, and then I can use mysql_connect with them. But as far as i know, this is a bad practice as well. How can I use the mysqli class (extending it?) the easiest way, and ofcourse the safest possible?

Thanks for any tip

Answer 1

All the proposed answers could be correct I guess, but for my purpose and circumstances, i created a file that includes mysqli object creation and connection to DB with some functions for escaping data. Than I just include the file in all other .php's that need DB connections and it's very easy to use and execute queries. If someone needs more info or examples let me know.

Thanks to all

Answer 2

There's nothing terribly insecure about hard coding database constants (as others have stated, they have to be somewhere...) though like you note it's a good idea to have these values in a separate file. I'd suggest going one step further and not tracking this file in source control, instead create a template, such as config.base.php which you copy over to config.php and configure per server. There are other options (where I work, we track these files, but name them $(hostname).php which allows for some clever import-chaining, but isn't necessary) but this is an easy, safe one, with the advantage of keeping these values out of your version control. This allows the code to be distributable without providing these passwords.

The bigger security issue to concern yourself with is locking down your front-facing MySQL user to only have the permissions you need your webapp to have. For instance, generally it's a bad idea for your website to be CREATEing or ALTERing tables live, so it's often a good idea to not grant those privileges to the user your website uses, and have a different, higher privileged user that you use directly to make schema changes offline.

To your question, I do the following in a common.php class to create my MySQLi connection:

require_once($_SERVER['DOCUMENT_ROOT'].'/includes/config.php');
$db = @new mysqli(MYSQL_HOST,MYSQL_USER,MYSQL_PASS,MYSQL_DB);
if(mysqli_connect_errno())
{
    if(DEBUG_MODE)
        $template->error('Failed To Connect To Database: '.mysqli_connect_errno().': '.mysqli_connect_error());
    else
        $template->error('Failed To Connect To Database.  Try reloading the page.  If this error persists, <a href="/contact.php">let me know</a>.');
}

Answer 3

At the end you have to put your connections configuration parameters inside your code. Doesn't matter if it is in a constant, a class, etc....

I don't think hardcoding those values a security risk. Your php scripts ar in the server. So they are protected by the file system permissions and the system permissions as well. If somebody can access your files the security is issue is in the server and not in the php script.

Use PDO, it has classes to handle db access.

From the PDO php manual:

The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP.

Connections are established by creating instances of the PDO base class.

Example #1 Connecting to MySQL

 <?php
 $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
 ?>

Answer 4

I can't really answer your question right now, but as a tip, watch this video.

It's a PHP Security series that may help you there:

https://www.youtube.com/watch?v=Nx-g-0ynP_I

If it doesn't work search for PHP Security part 1 on youtube!

Hope it helps!