Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security question with db connection 1

Status
Not open for further replies.
jisoo23

jisoo23

Programmer
Jan 27, 2004
192
US
Probably a simple question but just wanted to confirm with others...

I include a separate php page on each of my website's pages that contains mysql_connect and mysql_select_db. Is there any security risk with this? Or since PHP is processed on the server end it doesn't matter?

I'm just trying to avoid the risk of someone being able to grab the database information and messing things up. If there's a risk, what precautions could I take to prevent this from happening? I'm thinking a separate subdirectory with different chmod permissions perhaps....

Thanks for the input,
Jisoo23
 
Sort by date Sort by votes
provided it has a .php extension it shoud be fine. (as long as you don't echo any details on errors.

______________________________________________________________________
There's no present like the time, they say. - Henry's Cat.
 
Upvote 0 Downvote
I strongly recommend that the included file reside on the filesystem outside of the document root of your web site. That way, if something should happen to your web server's configuration that would allow php files to be sent to a browser as-is (send them, rather than running them and sending the output), your password will not be exposed.

I also recommend that you lock down the privileges of the login user your script uses as much as possible. MySQL, for example, gives the ability to allow a user to login only from certain IP locations. If your script's MySQL user could only login from localhost (assuming that your web server is also your database server), then the value of that login is reduced to a hostile entity.

Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
So putting the include file outside the document root of the website...you're talking about placing it outside of the "public_html" folder?
 
Upvote 0 Downvote
Yes. PHP's include(), include_once(), require() and require_once() functions are not constrained by the current document_root. You can put the files anywhere on the filesystem and still include them -- you just have to specify the correct path.

Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
a-ha, I'll be sure to do that. Thanks for the security tip!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Wand850
  • Locked
  • Question
Parsing XML with multiple namespaces using PHP
Replies
3
Views
257
spamjim
spamjim
Gerrit Broekhuis
  • Locked
  • Question
PHP form with captcha and file upload
Replies
4
Views
252
Gerrit Broekhuis
Gerrit Broekhuis
waubain
  • Locked
  • Question
Convert Indexed Multidimensional Array to Multidimensional Array with Key Value pair 3
Replies
2
Views
211
waubain
waubain
PeDa
  • Locked
  • Question
Include URL with parameter in table generated by php
Replies
3
Views
437
PeDa
PeDa
bsanderson
  • Locked
  • Question
Define separate fields with a common name in a join
Replies
2
Views
196
bsanderson
bsanderson

Part and Inventory Search

Sponsor

Back
Top