MySQL question

jumbosheep · 09-02-2005

In a php script when you connect to a database through db, you write in your hosting provider, username, databse URL, and password to your server control panel; whats stopping someone from looking at the code, finding your database, then looking through your users passwords? Can you protect a database by adding a password to your directory? Any help is appreciated, Thanks.

scrowler · 09-02-2005

if you are talking about mysql connectivity on a linux or unix platform, then your database is not publically accessible through the HTTP protocol (someone can't just type in a link and download your database).

you provide your host name, username, password and database name, nowhere do you provide a URL unless using a remote database.

your mysql database details stored in a php script are completely safe from being read from anyone other than you, the server administrators and anyone else who has access to that file through the backend. people can't simply go view source in their browser and see your database password if you store it in a php variable, as php is a server side language and is processed before anything is sent to your browser.

you can set higher security levels and settings on your webserver and/or mysql server, but with most set ups, it is perfectly safe anyway and doesn't need to be safer. your passwords should be stored in hashed form in your database anyway, so even if someone did get in, they would only see a bunch of nonsense instead of a password.

if you are really paranoid about your database security or feel as if your content requires a higher level of security than what mysql databases generally offer, you may want to try using an Oracle database instead.

GoldNetX · 09-02-2005

Something I suggest is trying this. Create a file called mysql_connect.php. Have this file store the information and also the mysql_connect() function. Then put this file in a directory or two above wherever you haved your website. Such as:

If you website index is at:
folder1\folder2\www\index.php

Put the mysql_connect.php file in folder2, so that no one could link to it and download it. Then whenever you need to connect do something like this:

Code:

<?php include(../mysql_connect.php); ?>

I'm a bit rusty with my coding so that may not be exactly how to include it. But I find this method to work quite well.

You could also protect your connecting php file with a .htaccess, but I'm not very good at explainging that. There are plenty of tutorials on it though.

jumbosheep · 09-02-2005

Thanks for your help

Order · 09-04-2005

PHP code is not shown to the public, it is kept complete safe from their beady eyes.