SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member
    Join Date
    Jun 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    security of password in mysqli_connect

    A newbie here... As I go through this book (build your own database driven site php/mysql) I wondered how is the password that you put into the mysqli_connect function ($link = mysqli_connect('localhost', 'root', 'supersecretpassword') protected?

    What prevents someone else from looking at your .php file and seeing it?

    I'm only on page 185 so if it's answered later in the book just let me know and I'll be patient.

    thanks, mark
    Last edited by emagify; Jun 30, 2011 at 07:59. Reason: forgot to put book i'm using

  2. #2
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Basically, the assumption is that noone except you or webserver that executes your scripts can see their source. That is one of reasons why you should be extra careful with file permissions, temporary backup files tha IDEs sometimes create and shared hosting as such, because more often than not they are poorely configured.

  3. #3
    SitePoint Member
    Join Date
    Jun 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do you mean when you say "the IDEs sometimes create". What's IDE in this context?

  4. #4
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Integrated Development Environment, like Eclipse, NetBeans, PhpStorm or any editor you use to do your programming. Some editors create backups of files you edit and name them with other extension than .php - if you upload all directory, then they get uploaded to server along with changed files and typical server setup returns files with unknown extension as text/plain - thus the attacker can make an educated guess and try to download file that along exposing internal logic (and possibly vulnerabilities) also exposes credentials you are using to access DB.

  5. #5
    SitePoint Member
    Join Date
    Jun 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for the explanation! mark

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    You can put the config file above the web root folder - then even if PHP were to get turned off for some reason people would still be unable to see the password hard coded in that file.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •