SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Location
    Florence, Italy
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How unsafe is it to keep the database connection (thus username and password) in the php files and NOT in include files? Is it easy for hackers to get into my database?

    I ask this because I read the thread on includes and putting them in a protected directory. But I can't hide that I'm a newbie and have no idea how to do that .htaccess stuff (since the php.ini file belongs to my ISP!)


  2. #2
    chown linux:users\ /world Hartmann's Avatar
    Join Date
    Aug 2000
    Location
    Houston, TX, USA
    Posts
    6,455
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    Well if your server messes up and the file does not get parsed, you will have your database username and password just sitting out in the open..... So putting your variables for databases in another file in another directory is usually the best idea.

  3. #3
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Definitely in an include file preferably outside the web root.
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  4. #4
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    You actually don't need to do any .htaccess stuff to do this. You can put the absolute path in your call to include().

    For example, if your Web directory on your ISP's server is /home/willow/www/ and you had a file called myscript.php in that directory that needed access to the database, you could put the connection parameters in directory /home/willow/phpinclude/db.php, and then use the following command in myscript.php to load it:

    Code:
    include("/home/willow/phpinclude/db.php");
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  5. #5
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Location
    Florence, Italy
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only place I could access outside the www root directory was the cgi-bin directory and figured that would be okay. But I get the following warning when I retrieve the page:

    Warning: Failed opening '/cgi-bin/phplib/navbar.inc' for inclusion (include_path='.:/usr/local/plesk/apache/lib/php') in /usr/local/plesk/apache/vhosts/crm4sme.com/httpdocs/includetest.php3 on line 9

    Is there anyway to work around this? I've already contacted my ISP helpdesk but haven't heard from them yet!

    Willow

  6. #6
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Willow,
    if you keep your include files with a PHP parsable extention, ie connect.php3 (some hosts set .inc/.htm/.phtml/ etc to be parsed by php as well) and if your host is running php as an apache module, which you can check with the <? phpinfo();?> function then the chances of anyone ever seeing your source code are very very small indeed ,less so than hackers breaking into the server some other way and then peeking at your files etc.

    For .php parsed files to be displayed as plain text , the apache server would need to be dead, in which case no one is going to see anything anyway.

  7. #7
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    If Apache were reinstalled without PHP support, or misconfigured so as to disable PHP support, then .php files would be sent as plain text. Assuming you have a decent host, this sort of thing should never happen. Still, it is possible.

    Willow, your cgi-bin directory is, I believe, accessible from the Web. What happens when you FTP to your account and then type cd .. to go to the parent directory, then type pwd to see the current directory?

    As for your script not being able to find the include file, you need to provide the complete path to the file on the server (not on your Web site). The pwd command in FTP will reveal the full path.
    <Edited by kyank on 01-29-2001 at 06:12 PM>
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •