Hiding database connection info

Re: Hiding database connection info

"Fernando Rodríguez" <frr@easyjob.ne t> wrote in message
news:a33bd84136 438c7ea43a458a6 ef@news.superne ws.com...[color=blue]
>
> Hi,
>
> In a php script, I have to connect to a remote mysql database. I'm a bit
> worried that some user might be bale to retrieve the source of the page
> and see the user name and password to connect to the db.
>
> Is this resonable? What's the best way to avoid it?[/color]

Put the script somewhere outside the web root, and make sure only the user
the script is running under has read access to it. If someone can get to it
then, the DB information getting leaked is the least of your worries.
[color=blue]
> Thanks
>
>[/color]

Re: Hiding database connection info

Maybe you could create a separate folder within the document root and
create a .htaccess file to deny access? It's straight forward, although
I'm sure fernando's suggestion is the more secure option.

..htaccess (in the protected directory):
----
allow from all
----

Re: Hiding database connection info

"Fernando Rodríguez" <frr@easyjob.ne t> wrote in message
news:a33bd84136 438c7ea43a458a6 ef@news.superne ws.com...[color=blue]
>
> Hi,
>
> In a php script, I have to connect to a remote mysql database. I'm a bit
> worried that some user might be bale to retrieve the source of the page
> and see the user name and password to connect to the db.
>
> Is this resonable? What's the best way to avoid it?[/color]


make sure your include file is a .php file.
[color=blue]
>
> Thanks
>
>[/color]

Re: Hiding database connection info

"Jim Michaels" <jmichae3@nospa m.yahoo.com> wrote in message
news:KrGdnUorKd JLJ3benZ2dnUVZ_ t2dnZ2d@comcast .com...[color=blue]
> "Fernando Rodríguez" <frr@easyjob.ne t> wrote in message
> news:a33bd84136 438c7ea43a458a6 ef@news.superne ws.com...[color=green]
>>
>> Hi,
>>
>> In a php script, I have to connect to a remote mysql database. I'm a bit
>> worried that some user might be bale to retrieve the source of the page
>> and see the user name and password to connect to the db.
>>
>> Is this resonable? What's the best way to avoid it?[/color]
>
>
> make sure your include file is a .php file.
>[color=green]
>>
>> Thanks
>>
>>[/color]
>
>[/color]

a lot of tutorials and folks will tell you to keep sensitive information
like this in an include file that sits outside of your web space

you can do this, and it works... but i prefer to keep all my files within
the web space for organization and portability, etc.

stick your db connection code in an include file and use a non-php extension
(.config, .cfg, .inc are all good choices) then you'll need to configure
your web server to disallow serving of these file types

if you're on apache (sorry, i don't know for IIS or others) it's a few lines
in a .htaccess file:

<Files ~ "\.(inc|cfg|con fig)$">
Order deny,allow
Deny from all
</Files>

this example will prevent the web server from serving any file with a .inc,
..cfg, or .config extension... you can still include these files normally

it's the Web.config files in the ASP.NET framework that inspired me to set
up this type of configuration

- kevin