|
|
Posted by J.O. Aho on 05/27/07 09:33
_mario.lat wrote:
> I use PHP and I'd like to not write in hardcoded way password
> and login to access to mysql.
> how to not write password in code for access to mysql?
> How can I do?
> I'd like that who see my code don't see my paswords.
> there is a solution?
I assume you use a Unix like system for your server.
I assume you have your PHP scripts in ~/public_html
Then you can create a directory ~/mypasswords
Now you can create the following file
--- ~/mypasswords/mysql.log.data.php ---
<?PHP
$mysql_login="loginname";
$mysql_passw="secretpass";
$mysql_host="localhost";
$mysql_database="mydb";
?>
-- eof ---
Now in your php script that users can surf to
--- ~/public_html/index.php ---
<?PHP
require_once('../mypasswords/mysql.log.data.php');
mysql_connect($mysql_host, $mysql_login, $mysql_passw);
mysql_select_db($mysql_database);
//and so on...
?>
--- eof ---
Even if there would be a misconfiguration, and the PHP engine would be
disabled, and the code is displayed in raw, no one will be able to see the
login/password/host/database in your code, just see to that the user who is
running the web server has the privileges to read the
~/mypasswords/mysql.log.data.php, but don't make the directory publicly
available on the net (no symlinks to the file or directory in your ~/public_html).
--
//Aho
Navigation:
[Reply to this message]
|