How to protect PHP, database on web and connection

[Tore]

Hi. I'm about to launch a site on the www.
Have wrote the intire site using ASP, VBScript and MAccessDB.

Have decided to revrite into PHP-pages and use a mySQL database because of better speed and stability.

I will have a lot of customers. And I would like to secure my code against hackers and that mean preventing hackers from beeing able to get hold of my database password and userid that I use when connecting visitors and my users.

So where should I put my connection statement. In every PHP page that connects or is there a way of setting a global variable in PHP somewhere and use this connection variable in all my PHP pages?
Whats the best solution here?

And what about security. Do I have to create a user with userid and password and grant rights to whatever table that visitors and customers use.. or maybe one userid and password for both my visitors (read only) and one userid and password for my customers (wich also allows for create, update and delete)......
Any suggestions?

And in the end...
What should I do to prevent hackers enter my mySQL database?
Is there anything I should/Could do to prevent someone to have read/look my PHP pages in general.

Okay I know that the script part of the PHP pages are not displayed in any way to the browsers... but what about hackers... Maybe there is easy for them..?? And maybe easy to prevent them.. without to much hassle.

I hosting my site on a linux platform.

Huhhh.. this was a lot ... I know...

Any comments appreciated

Tore

 

[KarveR]

is the server *nix or windows?

If its *nix, put your connection infi into a file call .<somethingyouwant>.php

all files with a name staring with a dot(.) should be hidden by default from the webbrowser and any form of ftp or dir listing unless you are root or the file owner.

-------------------
<?
$user='username';
$password='yourpassword';
$host='yourdbhost';
?>

If this file is found and parsed by a web browser the reslt is a totally empty page with no source viewable. ______________________________________________________________________
There's no present like the time, they say. - Henry's Cat.

 

[KarveR]

I should add if you create a folder off your root dir named like .hidden it will be unviewable by a web browser dir list, put your .config in here and use require('.hiddenfolder/.config.php');

in each page which requires the connection details.

This is pretty secure, unless someone actually gains your server login and password which is the least likely thing to happen. ______________________________________________________________________
There's no present like the time, they say. - Henry's Cat.

 

[Tore]

Thanks

But one question.

If I use this in my PHP pages to get the connection variables: require('.hiddenfolder/.config.php');

... and the potential hacker wont see anything listed in browser or FTP.... but he will se the above hidden directory and filename in whatever page that uses the above code...

Can he not be able to download the file when he now know the name of both hidden directory and hidden file?

Tore

 

[KarveR]

try the code

you cannot download a php page without the server parsing it first.

do soemthing real simple.
page.php
-----------------------------
<?
require('anotherpage.php');
echo &quot;$value $value1 $value2&quot;;
?>

------------------------------
anotherpage.php
<?
$value=&quot;test&quot;;
$value1=&quot;this&quot;;
$value2=&quot;out&quot;;
?>


view page.php in a broswer and select view source, see what you get, do the same with anotherpage.php and see .. hopefully this will answer your worries. ______________________________________________________________________
There's no present like the time, they say. - Henry's Cat.