algorithm Posted February 22, 2010 Share Posted February 22, 2010 Hey, Im somewhat new to php and I was wondering if it was safe to execute php scripts that access my MYSQL database from the browser? I've password protected the files of course, but is there an internal way to do it? Quote Link to comment Share on other sites More sharing options...
Goat Posted February 22, 2010 Share Posted February 22, 2010 What do you mean by 'accessing'? Most php scripts send queries to mysql and print output in some way. If you are talking about a script that lets you type SQL queries in browser and executes them, you certainly need a degree of protection, of course. The simplest way would be to add another text field (you need one to type query in), call it 'password' or something and put if clause to check it it matches. regards, Goat Quote Link to comment Share on other sites More sharing options...
jcanker Posted February 22, 2010 Share Posted February 22, 2010 I would say it's bad mojo. While passing variables in the url has it's place, I'm reluctant to pass variable names through the URL (e.g. GET variables) because it gives away some of the information needed if someone did want to try to start hacking a script. If you start revealing SQL info, such as table and column names, that's just inviting someone to poke around and see what info they can mine. My personal advice is to pass most stuff through POST. At the very least, obfuscate your variable names and don't use the same variable name as a SQL column name if you're passing data through GET. GET is convienent, as you can create links with the data in the URL. POST is safer as you're not shoving the data in their face. One of my early php projects was to create a library for all my DVD's. That stuff I send through GET, because I don't care if someone hacks my DVD database. All it really does is alphabatize them and tell me what binder they should be in and in what order. I can search by actor, director, etc, and see what other movies I have with that person--that sort of basic stuff. My tech services page, however, is all POST. I'm not about to invite someone to start replacing customer ID's in the URL and see what they can come up with, even if I do a login security check at the page load. That's my $.02. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.