|
|
Posted by Shelly on 11/24/07 12:39
Dan wrote:
> Hello!
>
> I've got some misc. questions about PHP and its usage with MySQL.
>
>
> The following web page:
>
> http://www.freewebmasterhelp.com/tutorials/phpmysql/3
>
> shows that it is normal to include mysql database usernames and
> passwords in the php file. Is this good programming practice? I'm
> worried that people would be able to read my php file through a web
> browser or through other nefarious means.
>
> This is the statement that must be in the source file to connect to a
> database:
>
> mysql_connect(localhost,$username,$password);
>
> with $username and $password defined elsewhere in the source file.
> This seems scary to me!
>
>
> How to properly defend against an injection attack? Wikipedia has the
> following code as for how to defend:
>
> $query_result = mysql_query
> (
> "select * from users where name = '"
> .
> mysql_real_escape_string($user_name, $dbh)
> .
> "'"
> );
>
> If this is all it takes to defend against the attacks why is such a
> big deal made about them? Is there something more that you need to
> defend against?
>
>
> Also one more question on how to keep track of people who are
> submitting information on a website. How to set a time limit to how
> often people can submit information? This is easy to do on the client
> side, just disable the button for a set amount of time, but if they
> went hunting through my html and found the php script they could
> easily whip up a program to POST information willy nilly as fast as
> they wanted.
>
>
> Also any more information or websites that would contain useful
> information for newcomers to PHP and MySQL would be grand!
>
> Thanks a lot!
Here is the simple answer: they cannot see your PHP script./ The PHP
script resides on the server. It generates html as output and it is the
html that is sent to the browser. Try looking at a "Page source" in a
browser for a page with a php suffix. All you will see is the resultant
html.
--
Shelly
Navigation:
[Reply to this message]
|