login and password of mysql in php code

[monasa]

To connect to mysql I must gave to mysql_connect the login name and the password in php code.

@mysql_connect("localhost","root","01232") or die("Echec de connexion au serveur");

How can I hide this?

Thanks in advance.

M.N

 

[brightstar]

hide it from who?

the user will not see any of your php code, as it is executed on the server and only the results are sent back to the browser.

http://www.agonyonline.co.uk

free, anonymous advice provided by the whole world

 

[Olavxxx]

omg, you have shown it to us!!
CHMOD the folder you keep your pass in, so other server users cannot go in your directory.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[dpk136]

if you put the connection string into a file and store that file in the .htaccess folder, you can have any php script include that and use it. But they are correct. there is no real need to do this, since the code cannot be looked at unless they are on the server anyways.

David Kuhn
------------------

http://www.davidpkuhn.com

 

[ericbrunson]

If you are on a shared server and I have the ability to write my own CGI or PHP as a different user on that server, I'm willing to bet 50 bucks that I can get it.

The apache process has to have permission to read that file, and my php and CGI processes run with the same permissions that everyone else's do on most hosting servers. Chroot apache solves it form some cases, but it is imperfect and usually possible to circumvent.

Still, there's not really anything you can do about it, it's just important to be aware of the risks.

 

[DRJ478]

A safer way you can make your code (including the passwords) unreadable even in source is to use something like the Zend Encoder ($$). The PHP installation where it runs must then include the Zend Optimizer in order to run the endoceded PHP.

 

[Olavxxx]

drj478: wont it be as cheap to rent a dedicated server?

I must admit I did not look at the price-tag of the zend encoder, as I'm afraid that I'll loose my night sleep over it.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[DRJ478]

You can do a lot of things with almost 3000 dollars
The cheapest is $960 for a one year license.
I'm lucky because for the place I work these sums are peanuts and I'm able to encode perpetually....

 

[ericbrunson]

I was thinking of buying a license and then setting up an encoding service and charging to encode source until I recoup the cost. I wonder if that violates the license agreement.

 

[ericbrunson]

This probably precludes it:

Licensee may only use the Software for its internal business use and not in the operation of a service bureau, time sharing or outsourcing service or for the benefit of any other person or entity.

But if I run a hosting comany (which I do) and I develop for my customers (which I do) can I use the encoder to encode the applications I write for them? What if they leave my site? Can I give them the encoded file? It sounds like I can't even use the encoder to encode *any* code I write that isn't run by me on my computers for my own company's benefit.

 

[DRJ478]

That's not entirely correct.
Their business interest is in you developing and then distributing your encoded code. Thay also have a licensing part of the product, so it must be possible to distribute the encoded files.
I think they just mean you buy the encoder and make money off them by encoding files for a fee.