Jump to content

Recommended Posts

Hi guys,

 

  I got a db-connect.php with the following content:

 

<?php

 

$con = mysql_connect("sdalk.com","root","root");

if (!$con){

  print('<div style="padding:10px;background-color:#EE9A00;font-family:arial;font-size:22px;font-weight:bold;color:#292421">We are having some system issue here. Please come back later !</div>');

  exit;

}

mysql_select_db("sdalk", $con);

 

?>

 

so if says index.php want to access database, it will include it like :

 

<?php

 

require_once("db-connect.php");

 

....

 

mysql_close($con);

 

?>

 

I am afraid that if there is a visitor who knows that my db-connect.php exist, then he will like go directly to access this file where he will enter in the browser like:

 

http://www.sdalk.com/db-connect.php

 

and there will be a lot of openning connection without closing the connection.

 

is there any safe way to like detect if db-connect.php is access directly thru browser, then jus ignore it or redirect visitor to other page?

 

Appreciate if someone can help me on this matter.

 

Thanks & Regards,

Mark

 

Link to comment
https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/
Share on other sites

Or try the following:

 

In the db-connect (or any included) file start it with:

<?php defined('_VALID_INCLUDE') or die('Direct access not allowed.');

 

and in the index (or any 'container' file) put the following (before the included file of course):

define('_VALID_INCLUDE', TRUE);

 

 

ok guys. thanks a lot for your advice. I really appreciate your help here. So should I change my db-connect.php to be like the following:

 

<?php

 

defined('_VALID_INCLUDE') or die('Direct access not allowed.');

 

if (basename($_SERVER['PHP_SELF']) == __FILE__)  {

  exit();

}

 

$con = mysql_connect("sdalk.com","root","root");

if (!$con){

  print('<div style="padding:10px;background-color:#EE9A00;font-family:arial;font-size:22px;font-weight:bold;color:#292421">We are having some system issue here. Please come back later !</div>');

  exit;

}

mysql_select_db("sdalk", $con);

 

?>

Hello psyickphuk,

 

    is the below correct :

 

<?php

 

defined('_VALID_INCLUDE') or die('Oops .... direct access is not allowed.');

 

require_once("db-connect.php");

require_once("global-setting.php");

require_once('recaptchalib.php');

require_once("error-code.php");

 

....

 

?>

 

where I just need to declare once for the

 

defined('_VALID_INCLUDE') or die('Oops .... direct access is not allowed.');

 

??

 

regards,

Mark

 

Or try the following:

 

In the db-connect (or any included) file start it with:

<?php defined('_VALID_INCLUDE') or die('Direct access not allowed.');

 

and in the index (or any 'container' file) put the following (before the included file of course):

define('_VALID_INCLUDE', TRUE);

if u really want to put it in public_html, try adding a htaccess file that includes the following lines:

Order Deny,Allow
Deny from all

but u have to add this to a folder and have that file u wish not to be accessed directly in the same directory.

Ted.

Yes, the best thing to do is just keep it outside of your web root directory.

 

I have a db connect class that lives outside of my web root, I use the 1 file for multiple sites that I have hosted on this particular server.

 

That is the safest way to do it.

 

Nate

I usually just stick my connection definitions (host/user/pass/database) outside the web root.  Not sure what benefit sticking the whole class there is, without the connection info they can't do anything if you have the rest of the server set up properly.

I usually just stick my connection definitions (host/user/pass/database) outside the web root.  Not sure what benefit sticking the whole class there is, without the connection info they can't do anything if you have the rest of the server set up properly.

 

My particular class has my connection details in it for multiple databases. I use it for several sites so I have a completely standard way of accessing databases. When I instantiate the class, I pass an argument to it which represents a particular database. e.g.

 

$db = new cDatabase('blog'); // creates connections to the blog database
$db2 = new cDatabase('shoppingCart'); // creates connections to the shopping cart database.

 

That's why I do this. I have a shared host and I run about 5-6 sites from it. I use this one file for all the sites.

 

Nate

Ah, well when I make a db class I instantiate it like the following:

$db = new DBHandler(DB_HOST, DB_USER, DB_PASS, DB_NAME);

so I can have a file with this outside of web root:

define('DB_HOST', 'myhost.com');
define('DB_USER', 'username');
define('DB_PASS', 'password');
define('DB_NAME', 'database');

I think its much easier to maintain because you don't have to go manually changing the class (to change the host, user, pass)...just the config file.

Ahh, to each his own I guess.... When I want to add a new database connection to the file, I add one of these buggers...

 

elseif($type == 'NAME_TO_PASS')
{ 
$hostName='HOSTNAME';
$userName='USERNAME';
$passwordName='PASSWORD';
$databaseName='DB_NAME';
}

 

This works quite well for me. I could clean up the run of 4-6 if/elseif/elseif/else block, but... I am lazy and it works.. so I don't fix it :)

 

I like this, because I don't have to mess with the db info but once in a great while. On my shared host, I can't specify anything but the password (which I usually leave alone as it is a pretty darn secure one) and I end up with things like db45678912332 <- db name, dbo45678912332 <-- db username, 456123.hostname.net <-- host.

 

But again, preferences.

 

Nate

Most of the stuff I write I sell to clients, so to help the dumb clients (most of them are anyway) I like to have just 1 file where they can change all major settings in so they don't have to go digging all over trying to find where to change stuff.  It seems like your situation is different in that you use your own stuff, so you know where all of the changes need to be made.

Yes, this is true....

 

However when I am creating for clients, then yes I would use a config file that held that information to make it easy for them to change when the need arises.

 

So different situations call for different methods.

 

In my previous job, I had the same kind of deal. Running multiple sites from a VPS and did the same thing. 1 db class file outside the root accesible to all sites and called the proper db per need. In some files i actually needed to make calls to 2 different databases so this was very handy. They had a "public" and "private" area, (2 different sites and 2 different domain names) each with it's own db. In the "private" area, after you logged in, you could manage parts of the "public" area so this was nice to be able to access multiple databases from 1 file by instantiating the class twice with a different argument to "talk" to each database.

 

 

When you connect through FTP, you should be brought into the root directory. Often there are several sub-directories such as (remember there are several common names for most of these)..

 

- logs

- htdocs

- private

 

"logs" will obviously contain logs, for things such as errors.

"htdocs" is the web root. Everything beyond htdocs is technically accessible through a browser.

"private" is kind of miscellaneous directory - store your private files in here (such as your db-connect.php file).

 

You could use private (or whatever similar name yours has), or you could create your own, say "php"?

 

As I said only files within htdocs are accessible through a browser, however in your PHP scripts you can still include files from the other directories.

 

So assuming you're in your web root directory, you could use:

 

include '../php/db-connect.php';

 

Which will still work no problems, but isn't accessible to anyone but you and your scripts!

 

A

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.