Posted by Jerry Stuckle on 11/24/07 12:58

Dan wrote:
> Hello!
>
> I've got some misc. questions about PHP and its usage with MySQL.
>
>
> The following web page:
>
> http://www.freewebmasterhelp.com/tutorials/phpmysql/3
>
> shows that it is normal to include mysql database usernames and
> passwords in the php file. Is this good programming practice? I'm
> worried that people would be able to read my php file through a web
> browser or through other nefarious means.
>
> This is the statement that must be in the source file to connect to a
> database:
>
> mysql_connect(localhost,$username,$password);
>
> with $username and $password defined elsewhere in the source file.
> This seems scary to me!
>

You need to define the userid and password somewhere in the source file
so that you can access MySQL. If your server is properly configured, no
one will be able to see your PHP source code (as long as it's in .php
files, anyway).

But for additional safety, just put the information in an include file
outside the web server's document root. Then it will be accessible via
PHP (which uses the file system) but not through the web server.

>
> How to properly defend against an injection attack? Wikipedia has the
> following code as for how to defend:
>
> $query_result = mysql_query
> (
> "select * from users where name = '"
> .
> mysql_real_escape_string($user_name, $dbh)
> .
> "'"
> );
>
> If this is all it takes to defend against the attacks why is such a
> big deal made about them? Is there something more that you need to
> defend against?
>

That's part of it. Always process strings with
mysql_real_escape_string(), something too many people don't do. But
also validate your numeric values to ensure they are numeric. And if
there are specific values which can be passed (i.e. from a list), ensure
the value passed is in that list.
>
> Also one more question on how to keep track of people who are
> submitting information on a website. How to set a time limit to how
> often people can submit information? This is easy to do on the client
> side, just disable the button for a set amount of time, but if they
> went hunting through my html and found the php script they could
> easily whip up a program to POST information willy nilly as fast as
> they wanted.
>

You need to do it server side. Every time the user submits information,
check against the time they previously submitted. If it's not too
quick, save the new time and allow the submission.

>
> Also any more information or websites that would contain useful
> information for newcomers to PHP and MySQL would be grand!
>
> Thanks a lot!
>

How many years do you want to spend? There are millions of pages about
this on the internet.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]