mysql_connect security

[stig1]

Is there anyway to put the password for the mysql connect statement encoding in like md5.

 

I currently put all my mysql config data in a php file called config in the web directory, and then call that file into mysql_connect, but i'm wondering if there is another way i can do it, cause the site i'm doing is an online store.

[PFMaBiSmAd]

What makes you think putting your database connection information as php code in a .php file is not safe?

[stig1]

if someone gets hold of that file, cause the password is in plain text in that php file, therefore not secure.

[jcbones]

Then put it in a sub-directory, and .htaccess it as "deny all".

 

Then no-one can access it via browser.  If they get it any other way, then you have much more to worry about.

[PFMaBiSmAd]

If someone has direct access to your source files on your server, it does not matter if they can see your mysql connection details or not. They can just read your msyql data files directly.

 

Also, if you were to encrypt/decrypt (which md5 is not, it is a one-way hash) your database connection details, the key needed to decrypt them would be present in your source code and again, if someone has that level of access to your files, it does not matter.

 

You are trying to make a non-problem into a problem.