|  | Posted by The Natural Philosopher on 11/24/07 12:48 
Dan wrote:> Hello!
 >
 > I've got some misc. questions about PHP and its usage with MySQL.
 >
 >
 > The following web page:
 >
 > http://www.freewebmasterhelp.com/tutorials/phpmysql/3
 >
 > shows that it is normal to include mysql database usernames and
 > passwords in the php file. Is this good programming practice? I'm
 > worried that people would be able to read my php file through a web
 > browser or through other nefarious means.
 
 Only on a misconfigured server. Files with a .php extension will ALWAYS
 be executed rather than downladed by te web serve.
 
 And even if they do, its a strange Mysql server that is sitting on the
 internet accepting requests from all and sundry..normally you run them
 (php/apache/mysql)on a local network, or the same box and set mysql to
 only accept requests FROM the apache server..
 
 Of course if your server machine itself is hacked, all bets are off
 anyway..never mind password access to Mysql, just strip all the database
 files out and run them on YOUR mysql setup..
 
 In essence, on a properly configured server, php sources are private.
 End of story.
 
 
 >
 > Also one more question on how to keep track of people who are
 > submitting information on a website. How to set a time limit to how
 > often people can submit information? This is easy to do on the client
 > side, just disable the button for a set amount of time, but if they
 > went hunting through my html and found the php script they could
 > easily whip up a program to POST information willy nilly as fast as
 > they wanted.
 >
 
 Should be able to use a cookie or session thing to keep track of
 individual users..but no absolute certainty. One of essences of web
 acess is there is intrinsically no notion of a connected user. You have
 to layer that over the top using cookies and user logins if you want it.
 But that relies on co-operation from the remote user.
 
 So, unless you enforce some kind of user login, you cant distinguish
 between loads of different people doing stuff, and one person doing lots
 of stuff.
 
 IP address stuff doesn't work either as you may be dealing with a proxy
 server.
  Navigation: [Reply to this message] |