|
|
Posted by Jerry Stuckle on 11/24/07 19:27
Michael Vilain wrote:
> In article <13kg7mvjssbnac8@corp.supernews.com>,
> "Shelly" <sheldonlg.news@asap-consult.com> wrote:
>
>> Dan wrote:
>>> Hello!
>>>
>>> I've got some misc. questions about PHP and its usage with MySQL.
>>>
>>>
>>> The following web page:
>>>
>>> http://www.freewebmasterhelp.com/tutorials/phpmysql/3
>>>
>>> shows that it is normal to include mysql database usernames and
>>> passwords in the php file. Is this good programming practice? I'm
>>> worried that people would be able to read my php file through a web
>>> browser or through other nefarious means.
>>>
>>> This is the statement that must be in the source file to connect to a
>>> database:
>>>
>>> mysql_connect(localhost,$username,$password);
>>>
>>> with $username and $password defined elsewhere in the source file.
>>> This seems scary to me!
>>>
>>>
>>> How to properly defend against an injection attack? Wikipedia has the
>>> following code as for how to defend:
>>>
>>> $query_result = mysql_query
>>> (
>>> "select * from users where name = '"
>>> .
>>> mysql_real_escape_string($user_name, $dbh)
>>> .
>>> "'"
>>> );
>>>
>>> If this is all it takes to defend against the attacks why is such a
>>> big deal made about them? Is there something more that you need to
>>> defend against?
>>>
>>>
>>> Also one more question on how to keep track of people who are
>>> submitting information on a website. How to set a time limit to how
>>> often people can submit information? This is easy to do on the client
>>> side, just disable the button for a set amount of time, but if they
>>> went hunting through my html and found the php script they could
>>> easily whip up a program to POST information willy nilly as fast as
>>> they wanted.
>>>
>>>
>>> Also any more information or websites that would contain useful
>>> information for newcomers to PHP and MySQL would be grand!
>>>
>>> Thanks a lot!
>> Here is the simple answer: they cannot see your PHP script./ The PHP
>> script resides on the server. It generates html as output and it is the
>> html that is sent to the browser. Try looking at a "Page source" in a
>> browser for a page with a php suffix. All you will see is the resultant
>> html.
>
> I read in an article a neat trick--store the username and password for
> your MySQL database as environment variables in an INCLUDE to the
> startup file for your Apache server. This way the file can be protected
> with appropriate permissions and is run as root when Apache starts. I'm
> lucky. My web host was willing to do this for my site. Yours may not.
>
> http://shiflett.org/articles/shared-hosting
>
Which also means anyone else on your host can also see your userid and
password with a simple phpinfo()....
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|