port80 Posted December 4, 2013 Share Posted December 4, 2013 Hello and thank you for any help you may provide. I am a n00b at programming and PHP. I am teaching myself PHP and MySQL. I have a web form that collects data and inserts it into a MySQL database. I have found that $dbc = mysqli_connect('hostname', 'username', 'password', 'databasename') is not a secure way of storing passwords for database connections. As I understand it a database connection credentials should be in a seperate file with .inc extention. How does that work? is this correct / will this work? $dbc = mysqli_connect( include (dbconnect.inc)) What is the proper what to do this? Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted December 4, 2013 Share Posted December 4, 2013 Include your mysql connection file at the top of your scripts include('dbconnect.inc'); Then when calling on your connection something like this $result = mysqli_query($dbc, "your query here"); Quote Link to comment Share on other sites More sharing options...
kicken Posted December 4, 2013 Share Posted December 4, 2013 Storing your database credentials (and/or connection code) in a separate file is not so much for security but rather convenience. If you ever need to change them you only have one place to do it rather than in every page. If you do separate them out, your include files should also have a .php extension, however you may include .inc as an extra extension in the form of file.inc.php. That way if someone tried to request your include file directly they would get a blank response rather than seeing your PHP code in plain text. Quote Link to comment Share on other sites More sharing options...
port80 Posted December 6, 2013 Author Share Posted December 6, 2013 Thank you both for your help. QuickOldCar, I thought of doing that. What confused me was how does the msqli_connect know to use the include(dbconncet.inc) file? So I believe it would look like this $dbc = mysqli_connect('dbconnect.inc') Is that correct? Kicken, I have read it is for convenience also, depending on the book. The security part was not to have it .php because depending on server configurations with a .php it could still return the result and show the user name and password. I am not the pro, I'm just going by what I read and info I get here. I will try the filename.inc.php, when I tried the dbconnect.php I was able to see the username and password (fake information since I was checking how the production server would function). I have another question along these lines. I am not user if this is the appropriate time and place to ask though. So I might message you? If that's okay? Again, thank you very much for the help. I have some good information work with here. Quote Link to comment Share on other sites More sharing options...
Solution kicken Posted December 6, 2013 Solution Share Posted December 6, 2013 (edited) What confused me was how does the msqli_connect know to use the include(dbconncet.inc) file? So I believe it would look like this mysqli_connect doesn't use the include file. You just define your credentials in the include file as either variables or constants and then use those in your mysqli_connect line, eg: dbconnect.inc.php <?php //Note that you need the opening PHP tag in your include files. $db_user='someuser'; $db_pass='theirPass'; $db_database='theDatabase'; $db_host='localhost'; otherFile.php <?php include 'dbconnect.inc.php'; $dbc = mysqli_connect($db_host, $db_user, $db_pass, $db_database); You could include the mysqli_connect line within your dbconnect.inc.php file so that you only have to include the file, not call mysqli_connect as well. I have read it is for convenience also, depending on the book. The security part was not to have it .php because depending on server configurations with a .php it could still return the result and show the user name and password. If the extension is .php, then the only way a user would see your credentials is if a) You somehow output them (echo, var_dump, etc) or b) The server is not configured properly and does not parse .php file If the file was given a .inc extension, and the server was not configured to parse .inc as PHP (which is typical) then any request to the file would just result in the file either being displayed or offered for download, either of which reveals your credentials. The best thing to do is store your include file containing the credentials outside of the document root so that it is impossible for anyone to even try to request it via the webserver. Some hosts allow this kind of setup, some don't. You'd have to ask your host for the details. If you have to store the file within the webroot, it's best to use a .php extension so that if it is requested, the user will likely just get a blank page. So I might message you? If that's okay? You can message me if you wish. You should try posting to the forum first though, as someone else may be able to help you before I see the message. Edited December 6, 2013 by kicken Quote Link to comment Share on other sites More sharing options...
port80 Posted February 8, 2014 Author Share Posted February 8, 2014 I am sorry it took so long to reply (Life!) Thank you Kicken for your reply. Your examples where extreamly helpful in understanding the concept! It appears now that I need to contact my hosting service and find out more information on how they are configuring the PHP on the server. Thank you very much for your quality reply Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.