0

If the following codes are stored in www.examples.com/test.php

mysql_connect("localhost", "user", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
$result = mysql_query("SELECT * FROM table");
...

Are the password secured? If not, what are the best practices to prevent unwanted access to the information? Thanks!

Ken Tai
  • 3
  • 3

3 Answers3

1

It's secure as long as nobody can access the text contents of test.php. A reasonable best practice would be to store the credentials somewhere that's not accessible by a visiting user, so that if for instance the contents of example.com are put in a folder /some/path/to/www-data, you could put the file somewhere else, like /some/path/to/credentials.php. That way, the web server can still load the file, but external users won't be able to access it.

In addition, while we're discussing MySQL/PHP best practices, please note that the mysql_ functions have been deprecated, and for good reason. Instead, I suggest you use mysqli_ (where the i stands for improved), or PDO. You can read more about it here: How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Joel Hinz
  • 24,719
  • 6
  • 62
  • 75
  • Even if the file was located at `/some/path/to/www-data/credentials.php` external users still wont be able to read anything. They can load the file in browser but unless you echo the credentials that wont help them – Hanky Panky Feb 12 '15 at 06:40
  • You're not wrong, but that's assuming the web server is always correctly set up. As I said, it's secure as long as nobody can access the text contents. But from past experiences with morons at previous workplaces, I find that one should never assume that will always be the case. All it takes is one clumsy developer serving the page as text content without processing it. – Joel Hinz Feb 12 '15 at 06:43
  • 1
    Yep that absolutely makes sense. – Hanky Panky Feb 12 '15 at 06:44
0

One solution is to place an .inc file in a non root directory and include this file as you can use a file path in both require and include

<?php

$host = 'example.org';
$username = 'myuser';
$password = 'mypass';

$db = mysql_connect($host, $username, $password);

?>

if you must place this inside a root folder, some modification to the httpd.conf can apply some extra security (assuming you are using apache)

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
Luke Farnell
  • 81
  • 3
  • 1
    Why `.inc` and not `.inc.php` ? That gives you double the protection – Hanky Panky Feb 12 '15 at 06:47
  • It depends. Because i mentioned that if the .inc is in a not root directory, it doesnt matter what the file extention is. If it is in a root directory, the rule will catch it. – Luke Farnell Feb 12 '15 at 06:59
  • 1
    Don't always rely solely on `.htaccess` files, one messed up setting for the virtual host can render them useless at times. – Hanky Panky Feb 12 '15 at 07:02
0

PHP is a server-side language, meaning that a client device will never actually see any PHP code.

What this means is that any passwords you have are perfectly safe, from client devices.

The file that contains the login information can still be accessed by a privileged user of the webserver.

Matt Clark
  • 27,671
  • 19
  • 68
  • 123