SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Wizard TWTCommish's Avatar
    Join Date
    Aug 1999
    Location
    Pittsburgh, PA, USA
    Posts
    3,910
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Per Kevin's article series, I decided to stick my PHP/SQL connection info (username, password, etc) in a file called "connect.inc"...which I then called upon when needed; the bad part is that contrary to what I was expecting, the connect.inc file is fully viewable from the web; any way to fix this? Obviously it's a hole that needs to be filled...



    ------------------
    Chris Bowyer chris@mycoding.com
    MyCoding.com: Visit for Launch Notification!
    DomainMailings.com: Who Says All The Good Ones Are Taken?
    MovieForums.com: Talk About Your Favorite Flicks!

  2. #2
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    It is not a hole that needs to be fixed it is how the Internet was designed to work.

    The same thing happens if the file has PERL or VBscript (ASP) in it.

    There are two ways to fix it.

    1. Have your host make sure that the .inc extension is always parsed as PHP. Of course this can be bad because it can be in .ini style, PERL or even javascript on a Unix Host.

    2. Rename your include files .php or whatever your PHP extension is. Then they will be parsed and the user will either see nothing or an error.

    Option 2 is the best and easiest method to implement.

    ------------------
    Wayne Luke - Sitepoint Forums Administrator
    Digital Magician Magazine - MetaQuark Creations (Coming Soon)
    wayne@sitepoint.com

  3. #3
    SitePoint Wizard TWTCommish's Avatar
    Join Date
    Aug 1999
    Location
    Pittsburgh, PA, USA
    Posts
    3,910
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'll give that a try; the reason I'm so confused is that I'm pretty sure Kevin said that the .inc file would not be viewable from the web...



    ------------------
    Chris Bowyer chris@mycoding.com
    MyCoding.com: Visit for Launch Notification!
    DomainMailings.com: Who Says All The Good Ones Are Taken?
    MovieForums.com: Talk About Your Favorite Flicks!

  4. #4
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Here are a couple of excerpts from Kevin's article about include files.

    <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote/font><HR>
    The above file, include-me.inc, contains some simple PHP code. Notice that the name of the file ends in .inc, not .php. The idea here is to name the file something other than what your Web server expects for a PHP script. This will ensure that the file can only be executed when included in one of your .php files, and also helps you tell apart your PHP Web pages from your PHP include files.
    <HR></BLOCKQUOTE>

    <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote/font><HR>
    Increasing Security with Includes

    PHP scripts will sometimes contain sensitive information like usernames, passwords, and other things you don't want the world to have access to. By now you're probably used to the mysql_connect function, which requires you to put your MySQL username and password in a PHP script that needs access to a database. While you can simply set up MySQL so that the username and password used by PHP cannot be used by potential hackers (by setting the Host field in the user table as described in Part 8), you would probably still rest easier knowing that your username and password are protected by an extra level of security.

    "But wait a minute," you might be saying. "Since the PHP is processed by the server, nobody gets to see my password anyway, right?" Right. But consider what would happen if PHP stopped working on your server. Whether due to an accidental software misconfiguration made by a well-meaning associate or due to some other factor, if PHP stopped working on your server, the PHP pages would be served up as plain text files, with all your PHP code (including your password) there for the world to see!

    To guard against this kind of security breach, you should put any security-sensitive code into an include file and put that file in a directory that is not part of your Web server's directory structure. By adding that directory to your PHP include_path setting (in php.ini), you can refer to the files directly with the PHP include function, but have them tucked away safely somewhere where your Web server can't display them as Web pages.

    For example, if your Web server expects all Web pages to exist in /home/httpd/ and its subdirectories, you could create a directory called /home/phplib/ to house all of your include files. Add that directory to your include_path, and you're done! The following example shows how you can put your database connection code into an include file:


    &lt;!-- dbConnect.inc (in /home/phplib/) --&gt;&lt;?php $cnx = mysql_connect("localhost", "root", "rootpassword");?&gt;

    And a file that uses this include:


    &lt;!-- dbSample.php (in /home/httpd/) --&gt;&lt;?php // Connect to MySQL include("dbConnect.inc"); mysql_select_db("myDatabase",$cnx); ...

    As you can see, if PHP stops working on your server, all that will be exposed is a call to the include function. The username and password are safely stored in dbConnect.inc, which cannot be accessed directly from the Web.

    <HR></BLOCKQUOTE>


    I hope this clears things up for you.


    ------------------
    Wayne Luke - Sitepoint Forums Administrator
    Digital Magician Magazine - MetaQuark Creations (Coming Soon)
    wayne@sitepoint.com

  5. #5
    SitePoint Wizard TWTCommish's Avatar
    Join Date
    Aug 1999
    Location
    Pittsburgh, PA, USA
    Posts
    3,910
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My mistake, I must have mis-remembered a bit. Thanks for the free research.

    ------------------
    Chris Bowyer chris@mycoding.com
    MyCoding.com: Visit for Launch Notification!
    DomainMailings.com: Who Says All The Good Ones Are Taken?
    MovieForums.com: Talk About Your Favorite Flicks!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •