i dont see a problem at all, people dont need to know the passwords to initiate a MySQL connection....

just make a separate connection.php file and put this line in it:

<? @ $db = mysql_connect('localhost', 'account', 'password');?>

and use require_once() in your global include file

maybe I just dont know what you mean, im a tad confused :)

by using require_once () you reveal the file name, and the location on the disk.

On linux the apche daemon must have read rights for require to work, as far as I know.

So, one can make file_get_contents("include.inc");
and so it has the source. By one I mean a developer, which is exactly the kind of person I want not to have access to this information, I only want him to use the live datas during development time, not knowing the user and pass.

Thank you.

One kind of solution would be a double file inclusion.

Development file has require("include.inc");
and include.inc has require("confidential.inc").

And confidential.inc file must have some kind of test to see which file includes it (maybe passing a variable), and to continue code exectuion only if "include.inc" call it.

It sound kind of strange anyway, and this ideea is only theoretical cause I didn't found any function or predefined variable capable to deal this approach.

yes, still need to look into something similar myself (read access only for not logged in users, read and write for members and more advanced for admins/ mods)

Shouldnt be to hard though, just dont feel like thinking about it ;)

I think this one is easier then seems.
The file_get_contents() function still parses as PHP prior to outputting anything, so you could use checking functions here and to be safe put it outside the root of the web dir
say you name it cond_connect.php

if ($_SESSION['user_status'] === 'developer'){
@ $db = mysql_connect('localhost', 'develop_acc', 'password');
}else{
@ $db = mysql_connect('localhost', 'produce_acc', 'password');
}

make a file called connect.php and use file_get_contents(../cond_connect.php)
should output the proper stuff

im not quite sure here, but I use the function to display my random banners in email messages and it parses like it should ;)

#*$! me, you want to hide it totally....I think you cant do that, but Im not sure :S

If you can't trust your developer, he shouldn't be working for you.

Period.

Your login/password should only be a user with the priviledges the application needs, not the sa, nor a user with full rights.

That is all the programmer needs. And quite honestly, even if you prevent him from knowing the username/password. As long as your programmer has a database connection, they can do whatever they want.

So really, there is absolutely no added security to hiding it from them. None, nada, zip, zilch.

Point blank...if you trust your developer and you don't want him to have access to the information that he needs to develop around....you're OVERanal...

alright, lets all get off of w31rd0's back.

I work in an environment where there are levels of access and only certain people have access to live data. Most of the time programmers don't need access to live data, thats why we have deva and qa environments.

One way is server access, we house login info on the machine itself and it is different from dev to qa to live. If you have access to that machine then you can see it.

It really is a tough one. That's how I have dealt with it most of the time.

I cannot obtain 2 mysql users

The simple fact is, with one mysql user, it won't matter what you do to prevent the developer from knowing the password, because with the $db connection he needs to access the database, he can do anything that user can...and there is no way to prevent that.

That's just the simple reality of the situation.