Posted by Rob on 11/26/07 09:36

On Nov 24, 11:31 am, Dan <djdr...@gmail.com> wrote:
> Hello!
>
> I've got some misc. questions about PHP and its usage with MySQL.
>
> The following web page:
>
> http://www.freewebmasterhelp.com/tutorials/phpmysql/3
>
> shows that it is normal to include mysql database usernames and
> passwords in the php file. Is this good programming practice? I'm
> worried that people would be able to read my php file through a web
> browser or through other nefarious means.
>
> This is the statement that must be in the source file to connect to a
> database:
>
> mysql_connect(localhost,$username,$password);
>
> with $username and $password defined elsewhere in the source file.
> This seems scary to me!
>
> How to properly defend against an injection attack? Wikipedia has the
> following code as for how to defend:
>
> $query_result = mysql_query
> (
> "select * from users where name = '"
> .
> mysql_real_escape_string($user_name, $dbh)
> .
> "'"
> );
>
> If this is all it takes to defend against the attacks why is such a
> big deal made about them? Is there something more that you need to
> defend against?
>
> Also one more question on how to keep track of people who are
> submitting information on a website. How to set a time limit to how
> often people can submit information? This is easy to do on the client
> side, just disable the button for a set amount of time, but if they
> went hunting through my html and found the php script they could
> easily whip up a program to POST information willy nilly as fast as
> they wanted.
>
> Also any more information or websites that would contain useful
> information for newcomers to PHP and MySQL would be grand!
>
> Thanks a lot!

I would be inclined to put the username, password, etc in a seperate
file. There are a number of advantages, the main one being if you
accidentally delete the '<?php' tag, the sensitive information won't
be automatically displayed.

Unlikely I know, but might as well be safe.

Rob.

[Back to original message]