|
|
Posted by Kevin D. on 10/17/76 11:39
"Jim Michaels" <jmichae3@nospam.yahoo.com> wrote in message
news:KrGdnUorKdJLJ3benZ2dnUVZ_t2dnZ2d@comcast.com...
> "Fernando Rodrνguez" <frr@easyjob.net> wrote in message
> news:a33bd84136438c7ea43a458a6ef@news.supernews.com...
>>
>> Hi,
>>
>> In a php script, I have to connect to a remote mysql database. I'm a bit
>> worried that some user might be bale to retrieve the source of the page
>> and see the user name and password to connect to the db.
>>
>> Is this resonable? What's the best way to avoid it?
>
>
> make sure your include file is a .php file.
>
>>
>> Thanks
>>
>>
>
>
a lot of tutorials and folks will tell you to keep sensitive information
like this in an include file that sits outside of your web space
you can do this, and it works... but i prefer to keep all my files within
the web space for organization and portability, etc.
stick your db connection code in an include file and use a non-php extension
(.config, .cfg, .inc are all good choices) then you'll need to configure
your web server to disallow serving of these file types
if you're on apache (sorry, i don't know for IIS or others) it's a few lines
in a .htaccess file:
<Files ~ "\.(inc|cfg|config)$">
Order deny,allow
Deny from all
</Files>
this example will prevent the web server from serving any file with a .inc,
..cfg, or .config extension... you can still include these files normally
it's the Web.config files in the ASP.NET framework that inspired me to set
up this type of configuration
- kevin
[Back to original message]
|