My PHP source secure?

[Hopworks]

I'm not new to PHP, but I haven't spent the time needed to be considered good at it. I know enough to do what I want mostly, but now I'm working with MySQL and a concern popped into my head like a bomb going off...

 

Is my php code on my site secure from viewing? A tutorial I'm working through now talks about connecting to my database, and in the code is

$connid = mysql_connect ('servername' , 'username' , 'password');

What keeps someone from reading my source, getting that login information, and compromising my database?

The database contains useless info for anything else but my specific task at hand, not like login info or anything.

And I'm real careful with my ftp info and database info. I'm just talking about someone getting that info out of a folder on my site, like view source for html.

 

Thanks!

Hop

[alecks]

PHP is server-side, which means that the code is executed on the server's side. A person browsing your website cannot see any of the PHP code in the website's source (View > Page Source).

 

This is the basic flowchart:

 

PHP File -> Interpreted by the server Server, which -> spits out HTML code to the user.

[Hopworks]

Ok, thank you. I suspected that, but I wanted to hear it to help me feel safer. 

 

One thing I didn't like was that since I knew the filenames of a few php files I had in the same directory, that held functions, etc., I was able to open it, or run it that is, by just typing that file name in at the end of the folder's path in the address field of my browser. Perhaps I should look at how to write code in my php files that look at how that file was called upon, as in via include or just targeted from a client application.

[Hopworks]

One more thing for people that might be looking for the same answer and happen to find this thread...

I read elsewhere how to turn off a directory listing of a folder on your site if you don't happen to put a default index.html, index.htm, or index.php file into every folder. I'm sure everyone registered knows this, but I didn't and it's good info.

Create a file called .htaccess (no extension) and put in it...

Options -Indexes

and save that into the root of your site. I was worried that if that was available to a casual browsing individual, they could see my PHP file, right click it, and download it for examination. This fix worked for me. =)

Hop

[alecks]

I am pretty sure that even if they did download the .php file all they would get would still be the HTML resulting from that script

 

also, though that .htaccess works fine, you could also just chmod the folders so that ordinary uses can't access the files.

[MadTechie]

thats not the point of the post it to stop directory traverling (use to find security holes etc)

[Hopworks]

thats not the point of the post it to stop directory traverling (use to find security holes etc)

Sorry 

I thought I was doing a good thing.

[heckenschutze]

Don't be scared, if you use any low-level language you can expect logical (eg. holes you open) security holes. Usually the VM handles higher-level security for you (in this case PHP + your webserver to stop bruteforcing for example). But, if someone was to get your source somehow... then them knowing your database password, address and/or user would be the least of your worries.

 

EDITED BY WILDTEEN88: Please post in one colour only. Do no post some fancy rainbow colour text thingy. You may highlight words.