homepage Welcome to WebmasterWorld Guest from 50.17.66.61
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP connection include
rsndll

5+ Year Member



 
Msg#: 3266451 posted 8:50 am on Feb 28, 2007 (gmt 0)

I'm still teaching myself PHP/MySQL and am gradually doing small things to make my coding more secure.

One major thing I have heard is that it is bad to have the MySQL connection details in the same folder as the website. I have a file called conz.php with password, user name details etc which I include in every page.

As I'd expect if I view the source of any of the resultant pages I don't see this info. Is there a way that someone can see this info?

Also I heard that if someone includes my webpages in theirs they can wreak havoc with my database. Wouldn't they need to know my table names etc to do that?

 

mcibor

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3266451 posted 8:59 am on Feb 28, 2007 (gmt 0)

If you have access to mysql, you can run SHOW TABLES to get the names,

usually simple include will not work, as it will include already parsed file,
What you could additionally do is put the include file to another folder, and with .htaccess further restrict access to it.

Regards
Michal

rsndll

5+ Year Member



 
Msg#: 3266451 posted 9:18 am on Feb 28, 2007 (gmt 0)

Thanks. I had thought about htaccess, but wouldn't that require the password to be entered each time the page is viewed?

mcibor

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3266451 posted 9:39 am on Feb 28, 2007 (gmt 0)

That's why I suggested you put just the include to another folder, eg.
includes/include.php
and in includes/ put .htaccess

but the pages are not there, only main folder.
Then by
<?php
require_once ('includes/include.php');

it will not ask for password
Michal

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3266451 posted 1:36 pm on Feb 28, 2007 (gmt 0)

you can also keep the file above the webroot which makes it impossible to include without being on the same physical machine

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved