|
|
Posted by Michael Vilain on 11/24/07 19:23
In article <13kg7mvjssbnac8@corp.supernews.com>,
"Shelly" <sheldonlg.news@asap-consult.com> wrote:
> Dan wrote:
> > Hello!
> >
> > I've got some misc. questions about PHP and its usage with MySQL.
> >
> >
> > The following web page:
> >
> > http://www.freewebmasterhelp.com/tutorials/phpmysql/3
> >
> > shows that it is normal to include mysql database usernames and
> > passwords in the php file. Is this good programming practice? I'm
> > worried that people would be able to read my php file through a web
> > browser or through other nefarious means.
> >
> > This is the statement that must be in the source file to connect to a
> > database:
> >
> > mysql_connect(localhost,$username,$password);
> >
> > with $username and $password defined elsewhere in the source file.
> > This seems scary to me!
> >
> >
> > How to properly defend against an injection attack? Wikipedia has the
> > following code as for how to defend:
> >
> > $query_result = mysql_query
> > (
> > "select * from users where name = '"
> > .
> > mysql_real_escape_string($user_name, $dbh)
> > .
> > "'"
> > );
> >
> > If this is all it takes to defend against the attacks why is such a
> > big deal made about them? Is there something more that you need to
> > defend against?
> >
> >
> > Also one more question on how to keep track of people who are
> > submitting information on a website. How to set a time limit to how
> > often people can submit information? This is easy to do on the client
> > side, just disable the button for a set amount of time, but if they
> > went hunting through my html and found the php script they could
> > easily whip up a program to POST information willy nilly as fast as
> > they wanted.
> >
> >
> > Also any more information or websites that would contain useful
> > information for newcomers to PHP and MySQL would be grand!
> >
> > Thanks a lot!
>
> Here is the simple answer: they cannot see your PHP script./ The PHP
> script resides on the server. It generates html as output and it is the
> html that is sent to the browser. Try looking at a "Page source" in a
> browser for a page with a php suffix. All you will see is the resultant
> html.
I read in an article a neat trick--store the username and password for
your MySQL database as environment variables in an INCLUDE to the
startup file for your Apache server. This way the file can be protected
with appropriate permissions and is run as root when Apache starts. I'm
lucky. My web host was willing to do this for my site. Yours may not.
http://shiflett.org/articles/shared-hosting
--
DeeDee, don't press that button! DeeDee! NO! Dee...
[Back to original message]
|