Simple PHP / MySQL security question

[wpb]

Hello,

 

I'm quite new to both PHP and MySQL, so forgive me if this is obvious...

 

If I have a PHP script in my public folder that contains code to open my MySQL database using my username and password, what's to stop everyone on the internet downloading that script and finding out the username and password for themselves? Is it never possible to download a PHP script from a server without the server first parsing the PHP and basically just serving up the resulting HTML?

 

Secondly, I have a website with a small MySQL database containing some data only part of which is intended for public viewing. I have a PHP script which queries the database by ID number, and returns some HTML about the results. Let's say that IDs 1 - 10 are for public viewing, and IDs 11-20 aren't. What's to stop someone writing a script that can query my database for IDs 11-20?

 

Sorry if it's not clear what I mean! Any help much appreciated.

 

Cheers,

 

WPB

[adam291086]

Php is run server side and only the output is displayed. Therefore anything inbetween <?php and ?> is hidden. All that is displayed is the results. Therefore to get access to your php files the user will have to go through a ftp client. To do that they need user names and passwords

 

To query your database they will need all the user names and passwords to set up a connection. The only way to get that is from your or the host provider.

 

 

edit: i am new to php to but i think i am right. Please correct me if i am wrong

[trq]

If your username and password are stored in variables within a .php file then they will not be viewable, even if the file is saved by a client, they only ever get the html output.

 

Having said that however, if your server ever fails parsing php, it may serve your pages as plain text.

 

As for your second question. Unless someone gains access to your database server address, database name, username and password will they be able to query your database. Even then, you would need to allow connections from remote users. This is not setup by default.

[cooldude832]

what is stopping them from querying 11-20?

you!

 

You can say who can do what with your script, so you have to limit them, the simple way to do this is apply a secondary field called public make it a Bool type where if that field is 1 that row is public else its not so you can then say

<?php
$q = Select * from `table` Where ID = '".$id."'";
if($query_type == "public"){
$q .= " && Public='1'";
}
?>

 

You will need to define your query type from something else, but you get the idea I think

[PFMaBiSmAd]

Correct. In fact the first question was just asked - http://www.phpfreaks.com/forums/index.php/topic,169297.0.html

 

As long as your file has an extension that causes it to be parsed by php, no one can see the php code and data in it.

 

If you are using php include files, don't end them in .inc or .txt. Those are not parsed (by default) as php code files and someone could just browse to them and get the php source code. Always use .php as an extension for any file that contains php code or data, even if it is an include file or a flat-file database file...

 

For your public/private database records. You need to use more than just the ID to determine what gets requested and output on a page. You would need a login system and the code checks if someone is logged in before retrieving and displaying the records that correspond to private id numbers.

 

BTW: You should not use ID numbers or a range of ID number to determine what is public or private. You should have a column that indicates an access level for each record. Then the access level (for example not-logged-in) of the current visitor is used in the query to determine if he can view that information. This will allow the ID numbers to be assigned when new data is added without causing a complicated need to manipulate or remember which ID numbers are public or private.