Security question

[Willow]

How unsafe is it to keep the database connection (thus username and password) in the php files and NOT in include files? Is it easy for hackers to get into my database?

I ask this because I read the thread on includes and putting them in a protected directory. But I can't hide that I'm a newbie and have no idea how to do that .htaccess stuff (since the php.ini file belongs to my ISP!)

[Hartmann]

Well if your server messes up and the file does not get parsed, you will have your database username and password just sitting out in the open..... So putting your variables for databases in another file in another directory is usually the best idea.

[freddydoesphp]

Definitely in an include file preferably outside the web root.

[Kevin Yank]

You actually don't need to do any .htaccess stuff to do this. You can put the absolute path in your call to include().

For example, if your Web directory on your ISP's server is /home/willow/www/ and you had a file called myscript.php in that directory that needed access to the database, you could put the connection parameters in directory /home/willow/phpinclude/db.php, and then use the following command in myscript.php to load it:

Code:

include("/home/willow/phpinclude/db.php");

[Willow]

The only place I could access outside the www root directory was the cgi-bin directory and figured that would be okay. But I get the following warning when I retrieve the page:

Warning: Failed opening '/cgi-bin/phplib/navbar.inc' for inclusion (include_path='.:/usr/local/plesk/apache/lib/php') in /usr/local/plesk/apache/vhosts/crm4sme.com/httpdocs/includetest.php3 on line 9

Is there anyway to work around this? I've already contacted my ISP helpdesk but haven't heard from them yet!

Willow

[firepages]

Willow,
if you keep your include files with a PHP parsable extention, ie connect.php3 (some hosts set .inc/.htm/.phtml/ etc to be parsed by php as well) and if your host is running php as an apache module, which you can check with the <? phpinfo();?> function then the chances of anyone ever seeing your source code are very very small indeed ,less so than hackers breaking into the server some other way and then peeking at your files etc.

For .php parsed files to be displayed as plain text , the apache server would need to be dead, in which case no one is going to see anything anyway.

[Kevin Yank]

If Apache were reinstalled without PHP support, or misconfigured so as to disable PHP support, then .php files would be sent as plain text. Assuming you have a decent host, this sort of thing should never happen. Still, it is possible.

Willow, your cgi-bin directory is, I believe, accessible from the Web. What happens when you FTP to your account and then type cd .. to go to the parent directory, then type pwd to see the current directory?

As for your script not being able to find the include file, you need to provide the complete path to the file on the server (not on your Web site). The pwd command in FTP will reveal the full path.
<Edited by kyank on 01-29-2001 at 06:12 PM>