Jump to content

Connect to DB securely using config file variables


melting_dog
 Share

Recommended Posts

Hi all,

 

I am using a ModX CMS and want to have my own php file (my.php) in the root directory that connects to the database independently of the CMS.

 

However, I am unsure of how to connect to the database securely ie: so that no-one sees my username and password etc.

 

The CMS has its own config file with all the DB connection info already in variables that is locked away in a folder with permissions set so that browsers cannot access it but I am unsure how to pass those varaibles to my.php (this occurs in the index.php file in the root but I have been unable to replicate it).

 

Can anyone suggest a way for me to do this?

 

Thanks!

Link to comment
Share on other sites

Php code inside of a .php file, using <?php ?> tags, is secure from prying eyes. Any php code in a .php file is parsed and executed on the server when the file gets requested. You only get any output that code sends. As long as you don't echo your username or password values, no one can see them by browsing to the file.

 

To prevent http requests to the file, to save some server resources should someone start requesting it or to protect in the rare case of php not working on the server, you can place your file outside the document root folder (closer to the disk root), place it into an existing or new folder that has had http requests disabled (there's nothing stopping you from putting your file into the same folder as the CMS's config file), or use a .htaccess file to stop http requests for that specific file no matter where it is placed.

 

Slightly off topic, but I have seen php scripts that store database username and password information in a specifically named .xml configuration file, with not one word about securing that file from http requests. You CAN browse to a .xml file and see the contents of it. You would also not want to use file extensions like .inc, .txt (anything other than .php) to put security related php code into.

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.