Jump to content

mysqli_connect (include) ?


Go to solution Solved by kicken,

Recommended Posts

Hello and thank you for any help you may provide.

I am a n00b at programming and PHP. I am teaching myself PHP and MySQL.

 

I have a web form that collects data and inserts it into a MySQL database. I have found that $dbc = mysqli_connect('hostname', 'username', 'password', 'databasename') is not a secure way of storing passwords for database connections. As I understand it a database connection credentials should be in a seperate file with .inc extention.

 

How does that work?

 

is this correct / will this work?

$dbc = mysqli_connect( include (dbconnect.inc))

What is the proper what to do this?

Link to comment
https://forums.phpfreaks.com/topic/284497-mysqli_connect-include/
Share on other sites

Storing your database credentials (and/or connection code) in a separate file is not so much for security but rather convenience. If you ever need to change them you only have one place to do it rather than in every page. If you do separate them out, your include files should also have a .php extension, however you may include .inc as an extra extension in the form of file.inc.php. That way if someone tried to request your include file directly they would get a blank response rather than seeing your PHP code in plain text.

Thank you both for your help.

 

QuickOldCar,

I thought of doing that. What confused me was how does the msqli_connect  know to use the include(dbconncet.inc) file? So I believe it would look like this

$dbc = mysqli_connect('dbconnect.inc')

Is that correct?

 

Kicken,

I have read it is for convenience also, depending on the book. The security part was not to have it .php because depending on server configurations with a .php it could still return the result and show the user name and password. I am not the pro, I'm just going by what I read and info I get here. I will try the filename.inc.php, when I tried the dbconnect.php I was able to see the username and password (fake information since I was checking how the production server would function).

I have another question along these lines. I am not user if this is the appropriate time and place to ask though.  So I might message you? If that's okay?

Again, thank you very much for the help. I have some good information work with here.

  • Solution

What confused me was how does the msqli_connect  know to use the include(dbconncet.inc) file? So I believe it would look like this

mysqli_connect doesn't use the include file. You just define your credentials in the include file as either variables or constants and then use those in your mysqli_connect line, eg:

dbconnect.inc.php

<?php //Note that you need the opening PHP tag in your include files.

$db_user='someuser';
$db_pass='theirPass';
$db_database='theDatabase';
$db_host='localhost';
otherFile.php

<?php

include 'dbconnect.inc.php';
$dbc = mysqli_connect($db_host, $db_user, $db_pass, $db_database);
You could include the mysqli_connect line within your dbconnect.inc.php file so that you only have to include the file, not call mysqli_connect as well.

 

I have read it is for convenience also, depending on the book. The security part was not to have it .php because depending on server configurations with a .php it could still return the result and show the user name and password.

If the extension is .php, then the only way a user would see your credentials is if

a) You somehow output them (echo, var_dump, etc) or

b) The server is not configured properly and does not parse .php file

 

If the file was given a .inc extension, and the server was not configured to parse .inc as PHP (which is typical) then any request to the file would just result in the file either being displayed or offered for download, either of which reveals your credentials.

 

The best thing to do is store your include file containing the credentials outside of the document root so that it is impossible for anyone to even try to request it via the webserver. Some hosts allow this kind of setup, some don't. You'd have to ask your host for the details. If you have to store the file within the webroot, it's best to use a .php extension so that if it is requested, the user will likely just get a blank page.

 

 

So I might message you? If that's okay?

You can message me if you wish. You should try posting to the forum first though, as someone else may be able to help you before I see the message.

Edited by kicken
  • 2 months later...

I am sorry it took so long to reply (Life!)

 

Thank you Kicken  for your reply. Your examples where extreamly helpful in understanding the concept! It appears now that I need to contact my hosting service and find out more information on how they are configuring the PHP on the server.

 

Thank you very much for your quality reply :)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.