[guyfromri]

Hey guys!! I'm playing with some PHP. I have the following script ((that I'm incredibly proud of btw ) that is going to go in all the pages of my particular site. The purpose is to populate an entire column with links on each page. My question is, if you look at the script, obviously anyone could just view the page source and have all my db info...how would one go about doing this properly so that info isn't visible? I believe it's something similar to a login script where I call an "intermediate" page that has the db connect info but I don't know if that's the right way....please advise

<?php						
$username="me";					
$password="blahdittyblah";				
$database="dbme";						
mysql_connect("mysql.realservers.info",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query="SELECT * FROM master_links";			
$result=mysql_query($query);				
$num=mysql_numrows($result);					
mysql_close();							
$i=0;	
while ($i < $num) {				
$field1name=mysql_result($result,$i,"VisLinkName");
$field2name=mysql_result($result,$i,"WWWLink");			
echo "<a href='$field2name'> $field1name </a><br/> ";			
$i++;						
}			
?>

<b>As always, thanks in advance!!!</b>

This post has been edited by guyfromri: 21 April 2011 - 08:34 PM

[sas1ni69]

Hi,

You can put the connection data in a seperate file (e.g, connect.inc.php) and ftp it to the folder above the root folder where there's no public access.

You can then call it from your php file using something like this;

<?php
 require "../connect.inc.php" 
?>

[guyfromri]

Thanks Sas!

Now I have one more question...

I created a file in root named "main_db_connect.php. It only has HTML tags, then the php variables to login. When I use reqire in the main script, I get the following

Fatal error: require() [function.require]: Failed opening required '/main_db_connect.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/u8*******/public_html/index.php on line 56

How do I tell it to search in root and not in public_html?

Thanks again for the help!!

Here's the code I have now

<?php
require "/main_db_connect.php";
	
mysql_connect("mysql.realservers.info",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query="SELECT * FROM master_links";
$result=mysql_query($query);

[sas1ni69]

Hi guyfromri

You're welcome. The thing is right now there's a file with parameters but you're not sending them nor you're receiving them. So the variables will have no values in your second page.

What you can do is connect to the database inside the connection file ("main_db_connect.php") and just make sql queries directly. Let me give you a little example just in case.

This is the connection file;

<?php

//connection to mysql server

$dbc = mysql_connect('localhost', 'username', 'password');

if (!$dbc) {
    die('Not Connected: ' . mysql_error());
}

$db_selected = mysql_select_db('databaseName', $dbc);

if (!$db_selected) {
    die('Database could not be found: ' . mysql_error());
}

?>

Now to actually make a query. This would be on a seperate file elsewhere;

<?php 
include ('/main_db_connect.php');

$query = "SELECT field1, field2 FROM table WHERE field1 = 'php'";

$result = mysql_query($query);

while ($row = mysql_fetch_array($result)) {
  //do some processing here
}
?>

I hope this helps

[JaKWaC]

PHP is processed on the server. Your viewers would not be able to view the source of the page and see your database information. Just wanted to clarify that for you.

[billj4u]

Quote

How do I tell it to search in root and not in public_html?

Root is public_html...

This post has been edited by billj4u: 22 April 2011 - 08:34 PM

[creativecoding]

billj4u, on 22 April 2011 - 09:32 PM, said:

Quote

How do I tell it to search in root and not in public_html?

Root is public_html...

Most host do allow you to go farther back than public_html.


You can use ../../filename until you think you are in the home directory, or you can figure out the exact path by looking at the "Home Directory" under the cpanel stats.

[guyfromri]

JaKWaC, on 22 April 2011 - 04:02 AM, said:

PHP is processed on the server. Your viewers would not be able to view the source of the page and see your database information. Just wanted to clarify that for you.

I absolutely thought that was the case but didn't know. Thank you very much! That's very helpful.

[creativecoding]

guyfromri, on 23 April 2011 - 04:02 PM, said:

JaKWaC, on 22 April 2011 - 04:02 AM, said:

PHP is processed on the server. Your viewers would not be able to view the source of the page and see your database information. Just wanted to clarify that for you.

I absolutely thought that was the case but didn't know. Thank you very much! That's very helpful.

Of course, people will still be able to view your username/pass if you give them the source to your site/script/thing. It's just common practice to keep all database connection stuff in another file. That way, you won't have to type stuff over and over again in each file, but instead do something like include a script.

[cgtroll]

sas1ni69, on 21 April 2011 - 08:58 PM, said:

Hi,

You can put the connection data in a seperate file (e.g, connect.inc.php) and ftp it to the folder above the root folder where there's no public access.

You can then call it from your php file using something like this;

<?php
 require "../connect.inc.php" 
?>

Hi,
I have the problem that my host does not allow access to the folder obove the root, is there a way to secure the db_connect.php inside the public folders? or hide the info used in the db_connect.php

Thanks a lot for any help.

[Atli]

Like has been pointed out already, PHP is processed on the server-side. The source code will never be visible to anybody using the site through the HTTP server. Only people with access to the server's file system, through something like FTP or SSH, will be able to see the source code.

More than that, even if the HTTP server did for some unexpected reason stop parsing the PHP and visitors would accidentally see the MySQL connection info, it should not do them any good without direct access to the server. MySQL users meant to be used by PHP applications should always be limited to specific locations (typically only "localhost") so that having the connection details is useless unless you can actually connect from the server machine.

Moving the connection details outside the web-root, or deny access to it using .htaccess files, or adding it to the PHP configuration, or otherwise trying to hide it, is a good idea if it's possible, but if not then there is no need to lose any sleep over it. It's not really necessary.


You can always set the server up to update the user info every so often, to invalidate the password in case it's leaked. (Of course, if it's leaked then there's likely a more serious security issue to worry about, but even so...) Using a scheduled task (a cron-job) you can randomly generate a new password, update it using mysqladmin, and then update the PHP source code accordingly. Should take more than a basic understanding of shell scripts.

[cgtroll]

Thank you so much for the explanation and clarification. I saw the previous post but didn't quite get the fact that we were talking about the same thing. Pointing out the facts helped a lot too, so again, thanks a lot!