Jump to content

Secure Connection to Database

Canadian

By Canadian
in PHP Coding Help

 Share

Recommended Posts

Canadian Member

Canadian

Posted
Posted

I'm connecting to my database using the following...

 

@ $db = new mysqli('host', 'username', 'password', 'database')

 

The .php file that is connecting to the database is in my root (htdocs) folder on the server.

 

I know that I am not supposed to put my actual 'host', 'username', 'password', 'database' inside the mysqli function for security purposes.  I know that I am supposed to put variables in instead.  But here is where I am confused. 

 

Where do I set those variables?  Do I set them in another file and include that file?  If so, where do I store the file that holds the passwords, and what prevents a hacker from simply navigating to that file?

 

Thanks for the help

 

Link to comment
https://forums.phpfreaks.com/topic/213349-secure-connection-to-database/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

You can put the actual host/user/password/database string into the mysqli() statement and it has nothing directly to do with security (if someone has direct access to your source php files, it does not matter where you put or define the values), but -

 

1) If you are just learning and happen to post your code, they will get posted on a public forum,

2) If you have more than one file that makes a database connection, you will need to repeat the values and any time you change any of the values you must edit them in all the files.

 

So, if you use variables or defined constants and then set those variables or define the constants in a file that is included into your main code you can avoid both those problems. The actual settings are only in one place.

 

Putting the settings into a .php file that is included is also not directly a security issue, as long as you use a .php file. The php code that is setting the variables or defining the constants is parsed if the file is directly browsed to and the only output would be due to any HTML or echo/print... statements in the file. As long as you don't echo "My db password is: $password"; your information is safe.

 

However, you generally want to prevent the needless execution of your code in your included files so you would use one of the following methods -

 

1) Put code into the file to detect direct request/browsing to the file and die/exit.

2) Put the files into a folder that is outside (closer to the disk root) so that they cannot be browsed to.

3) Put the files into a folder that you have secured to prevent all http requests to the files in that folder.

Canadian Member

Canadian

Posted
  • Author
Posted

You can put the actual host/user/password/database string into the mysqli() statement and it has nothing directly to do with security (if someone has direct access to your source php files, it does not matter where you put or define the values), but -

 

1) If you are just learning and happen to post your code, they will get posted on a public forum,

2) If you have more than one file that makes a database connection, you will need to repeat the values and any time you change any of the values you must edit them in all the files.

 

So, if you use variables or defined constants and then set those variables or define the constants in a file that is included into your main code you can avoid both those problems. The actual settings are only in one place.

 

Putting the settings into a .php file that is included is also not directly a security issue, as long as you use a .php file. The php code that is setting the variables or defining the constants is parsed if the file is directly browsed to and the only output would be due to any HTML or echo/print... statements in the file. As long as you don't echo "My db password is: $password"; your information is safe.

 

However, you generally want to prevent the needless execution of your code in your included files so you would use one of the following methods -

 

1) Put code into the file to detect direct request/browsing to the file and die/exit.

2) Put the files into a folder that is outside (closer to the disk root) so that they cannot be browsed to.

3) Put the files into a folder that you have secured to prevent all http requests to the files in that folder.

 

 

Awesome response!  Thank you very much.  This got me laughing...

 

As long as you don't echo "My db password is: $password"; your information is safe.

 

Thanks again,

 

Chris

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.