3 Replies - 2528 Views - Last Post: 06 April 2012 - 01:25 PM

#1 huw1990  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 02-March 12

How to Secure MySQL Logon Details in PHP?

Posted 06 April 2012 - 10:00 AM

Hi,

I'm creating a small website that contains a form for users to submit their personal information, which then uses a PHP script to add the information to a MySQL database. The only problem I have is that my database username, location, password, etc are visible in plain text in my PHP, which clearly isn't very secure, so anyone will be able to access the data. I've tried searching but couldn't find anything, could somebody point me in the right direction please?

Thanks,
Huw

Is This A Good Question/Topic? 0
  • +

Replies To: How to Secure MySQL Logon Details in PHP?

#2 Atli  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3636
  • View blog
  • Posts: 5,759
  • Joined: 08-June 10

Re: How to Secure MySQL Logon Details in PHP?

Posted 06 April 2012 - 11:02 AM

Hi.

What do you mean by "visible in plain text"?

The code within a PHP file is not visible to just anybody. The HTTP servers will execute the PHP code and only show the output it generates when visitors attempt to view it, so you can't "download" or otherwise view the PHP code unless you have access to the server's file-system.

Of course, you can always move this info into another PHP file outside the web-root, and then include it into your other PHP scripts. That will guarantee that no configuration error or other HTTP server errors will accidentally allow people to download the PHP script containing the info. You may want to set the permissions on this file so that only the user running the HTTP server can read it, to make sure no other users on the server can access it.
Was This Post Helpful? 0
  • +
  • -

#3 huw1990  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 02-March 12

Re: How to Secure MySQL Logon Details in PHP?

Posted 06 April 2012 - 12:00 PM

View PostAtli, on 06 April 2012 - 11:02 AM, said:

Hi.

What do you mean by "visible in plain text"?

The code within a PHP file is not visible to just anybody. The HTTP servers will execute the PHP code and only show the output it generates when visitors attempt to view it, so you can't "download" or otherwise view the PHP code unless you have access to the server's file-system.

Of course, you can always move this info into another PHP file outside the web-root, and then include it into your other PHP scripts. That will guarantee that no configuration error or other HTTP server errors will accidentally allow people to download the PHP script containing the info. You may want to set the permissions on this file so that only the user running the HTTP server can read it, to make sure no other users on the server can access it.


I'm a bit new to PHP, I assumed it worked similarly to html code, so I could redirect straight to that page, but if that's not right and nobody can actually see my PHP code if I upload it normally then that's great. Thanks!.
Was This Post Helpful? 0
  • +
  • -

#4 Atli  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3636
  • View blog
  • Posts: 5,759
  • Joined: 08-June 10

Re: How to Secure MySQL Logon Details in PHP?

Posted 06 April 2012 - 01:25 PM

No problem :)

It's important to understand this point straight away. A lot of the confusion we see in forums like these from new PHP developers comes from them not getting that PHP and HTML are completely separate things. PHP is used by the server to generate HTML, which is then sent to the client to be processed by the browser. The browser will never see any part of the actual PHP code.

None of the client-side languages (HTML, CSS and Javascript) has anything to do with PHP, other than that PHP is sometimes used to generate them. People frequently try to mix Javascript and PHP together in weird ways, expecting the PHP code to be executed when the Javascript calls it, like:
<script>
function getCurrentDate() {
	return "<?php echo date("Y-m-d H:i:s"); ?>";
}
</script>


People may assume this will always return the date at the time the Javascript function is called, but in reality this will only ever print the date when the page was generated by the server.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1