|
Posted by J.O. Aho on 07/15/06 20:28
cewyattjr@gmail.com wrote:
> So I'm a relative noob with PHP/MySQL. Here's my question -- seems
> pretty questionable from a security standpoint to have the MySQL
> connection usernames/pw's embeded in PHP scripts all over a site. Is
> there a better practice? Would something like this in every page be
> better:
>
> include ("../passwordprotected/SinglefilewithPHPlogininfo.php"); ?>
> Database login info is still sitting in that file in clear text, but
> seems better than multiple clear-text copies all over a site. Are
> there better methods?
The best IMHO is to have a include file that is outside the directory that the
web-server has access to, we assume you are having an *nix based system and
you are working on your personal homepage
your home directory would be ~/
your homepage directory would be ~/html_public (depends on the webserver
configuration)
your mysql password/login could be stored in ~/myloginpass.php
This way there is no way that the file can be accessed by a user accessing the
site with a web-browser.
store the password and login as variables in the ~/myloginpass.php, which you
then can use in your scripts after you included the file.
example
---- ~/html_public/index.php ----
<?PHP
/* For the include we use the absolute path, so the file will for sure be
included */
include_once('/home/username/myloginpass.php');
$link = mysql_connect('localhost', $db_login, $db_pass);
/* here add the rest of your code */
?>
---- end of example file ----
---- ~/myloginpass.php ----
<?PHP
$db_login="someusername";
$db_pass="secretpassword";
?>
---- end of example file ----
//Aho
[Back to original message]
|