mattyvx Posted November 28, 2009 Share Posted November 28, 2009 All, I'm thinking of having my database connection in a seperate file which I can include on the pages that need it using include 'myfolder/myconnection.php'; does this leave me open to a security risk? I mean yer it removes the redundancy of typing out connect settings each time and makes it easier to regularly change your password but; what if someone else finds the file and then includes it in an external page thus giving them access to my database... right? Quote Link to comment Share on other sites More sharing options...
MisterWebz Posted November 28, 2009 Share Posted November 28, 2009 I'm not sure, but it's widely used. Besides, even if they open myconnection.php, they wouldn't be able to read it. Quote Link to comment Share on other sites More sharing options...
mattyvx Posted November 28, 2009 Author Share Posted November 28, 2009 I know its used alot but I was just thinking what if?.... Would they need to read it? Once its included on the page someone with abit of knowledge can run a few queries from an external site. <?php include 'http://www.mysite.com/connection.php"; // now they can run any query to my database ?> the answer may well be no. Maybe if you call the file something inconspicuous then someone would never know what it was or find it... plus my connection files only have limited database access anyway Just food for thought really... Quote Link to comment Share on other sites More sharing options...
MisterWebz Posted November 28, 2009 Share Posted November 28, 2009 I know its used alot but I was just thinking what if?.... Would they need to read it? Once its included on the page someone with abit of knowledge can run a few queries from an external site. <?php include 'http://www.mysite.com/connection.php"; // now they can run any query to my database ?> the answer may well be no. Maybe if you call the file something inconspicuous then someone would never know what it was or find it... plus my connection files only have limited database access anyway Just food for thought really... I've never really thought about it that way. I'm sure it wouldn't work, but i'm still curious to know why it wouldn't work. Quote Link to comment Share on other sites More sharing options...
Alex Posted November 28, 2009 Share Posted November 28, 2009 It doesn't leave you open to any security risks, and it's done like this often for the exact purpose you stated, to avoid redundantly writing your connection in every file. People can't just include your connection file like that. Quote Link to comment Share on other sites More sharing options...
trq Posted November 28, 2009 Share Posted November 28, 2009 Scripts included via http only include the output from the included file. You do not get access to variables, functions or classes. Quote Link to comment Share on other sites More sharing options...
tarlejh Posted November 28, 2009 Share Posted November 28, 2009 How would they be able to read your source code without cracking into your server? And why use "http://" in your path when you can include it from the filesystem rather than over TCP/IP? Normally you'd want to keep your database configuration (e.g. constants defined in "config.inc.php") above your web document root. Quote Link to comment Share on other sites More sharing options...
FaT3oYCG Posted November 28, 2009 Share Posted November 28, 2009 it wouldnt work as you need the login details for the server, in the settings in your connection file you should have defined the mysql server, usually as localhost so they will not be able to access your db as even if they did include they would need to know the functions and it would reference only to localhost anyway. just to add, they cant re define any variables or functions either as you call the script each time it is required meaning that the functions would be re included each time this is done resetting the database settings etc. Quote Link to comment Share on other sites More sharing options...
trq Posted November 28, 2009 Share Posted November 28, 2009 it wouldnt work as you need the login details for the server, in the settings in your connection file you should have defined the mysql server, usually as localhost so they will not be able to access your db as even if they did include they would need to know the functions and it would reference only to localhost anyway. This isn't why it wouldn't work. It wouldn't work because files included from a remote location only include the output of that script, not the variables, functions and classes themselves. Quote Link to comment Share on other sites More sharing options...
FaT3oYCG Posted November 28, 2009 Share Posted November 28, 2009 how would this work if you had url includes on then as it would be the same scenario even including from your own site? Quote Link to comment Share on other sites More sharing options...
mattyvx Posted November 29, 2009 Author Share Posted November 29, 2009 Thanks all. The http:// only producing outputs and not variables explains it. I didn't know that was the case.... now I do! Quote Link to comment Share on other sites More sharing options...
FaT3oYCG Posted November 29, 2009 Share Posted November 29, 2009 a small addition, both myself and thorpe are correct but i beleive that allow_url_include is required to be enabled for a remote server to include a file from your own, although as described it wouldnt be much use anyway. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.