Posted by George Chapman on 10/07/05 00:04

In article <Tae0f.117$E46.43@newssvr23.news.prodigy.net>, JumpMan222
@aol.com says...
> Lastly, I was also wondering if it matters that I use mysql_connect() on
> every page in the event I do not SSL every page... please correct me if
> I am wrong, but since it resides on the server, I don't *think* the
> database password, which is stored in the php file in plain text, should
> ever actually be transported across the network. I have not been able
> to confirm this however.
>

Normally, no, the password is inacessible to the web visitor. However,
if something were to go awry with your web server settings, and for some
reason it failed to recognize PHP as something that should be processed
rather than just served, the web browser may in this adittedly unlikely
event display the code or even offer the user the chance to download the
PHP file.

The way to protect against this: Put the mysql_connect in it's own PHP
file, residing in a folder that is OUTSIDE your web root but still
accessible to PHP. Then do require_once('db_connect.php') at the start
of every script that needs it.

Of course this STILL makes it vunerable to anyone that has access to the
physical file, including people with access to the physical machine, and
people who have the ability to FTP or Telnet to your files.

Just my 2 cents.

- GC

[Back to original message]