[SOLVED] question about included .php files and security

[devdavad]

Hello, I was wondering how secure is it to start a mysql connection using a file like this

<?php
//db.php
define('SQL_USER', 'david');
define('SQL_PASS', 'password');
define('SQL_DB',  'db');
// Create a link to the database server
$link = mysql_connect('localhost', SQL_USER, SQL_PASS);
if(!$link) :
   die('Could not connect: ' . mysql_error());
endif;
// Select a database where our member tables are stored
$db = mysql_select_db(SQL_DB, $link);
if(!$db) :
   die ('Can\'t connect to database : ' . mysql_error());
endif;
?>

and include it in every .php script you need to connect to the same database (like putting include(db.php); at the top of every page on that web server that needs to use that connection). It seems to me that just having your mysql password in your .php file would be hazardous to the security of your site.

[devdavad]

...

Well shit that was ironic. First post actually had my real password to my sql server (but not my password to this site).

[.josh]

yes, making a file to be included like that is more secure.  Put it in a folder above your public_html, though.

[.josh]

...

Well shit that was ironic. First post actually had my real password to my sql server (but not my password to this site).

 

haha i can click my back button and get the original unedited version since i was replying before your edit :evilgrin j/k  :-X

[devdavad]

...

Well shit that was ironic. First post actually had my real password to my sql server (but not my password to this site).

 

haha i can click my back button and get the original unedited version since i was replying before your edit :evilgrin j/k  :-X

Noooooooooo! Crap why am I so retarded?

Plus you are a mod; can't you see the different changes people make in their posts / reverse an edit?

Welllllllllllllllllllll, time to make new passwords anyway.

[PFMaBiSmAd]

Assuming php is functioning on your web server, any file that is accessible through the http/https protocol that ends in a .php extension will be parsed by php when it is requested (by a browser, search engine, bot script...). Unless you are echoing your defined constants and variables, no one can see what these values are.

 

Also, hopefully you don't have an anonymous FTP (or any other type of anonymous protocol) account setup so that someone can access the files through FTP.

 

Placing the files outside of your web document root folder (closer to the disk root folder) will make them accessible only to programs on the server that have permission to access the folder they are in.

[.josh]

Noooooooooo! Crap why am I so retarded?

Plus you are a mod; can't you see the different changes people make in their posts / reverse an edit?

Welllllllllllllllllllll, time to make new passwords anyway.

 

Nope, SMF does not provide us with those sort of features.  Not even admin can do that.  Unless the database happened to be backed up between the time you posted and edited it, it's forever gone. 

[Lodius2000]

like crayon violet said store it above public_html, other than that i hink it would be safe to say that that is the method that most all of us use to connect and it must be secure because that is how all of my php books say to do it.

I have wondered about this security myself, and definately how to breach it, because your db info is about as exposed as you can be on your site without just giving away your site admin login