I've been thinking of security questions lately, but I am not too worried. I have been rather careful with my data thus far.

Let's say that someone were to know the address for my database connect file. The file is simple with:

<?php
$connect = mysql_connect("host", "username", "password") or die(mysql_error());
mysql_select_db("database1",$connect) or die(mysql_error());
?>

Should this be better protected?

you can store your DB connection file behind your web root directory. Your pages will still be able to include() it, but it will be inaccessible to the general public:

include($_SERVER['DOCUMENT_ROOT'].'/../includes/database.php');

What is a good test I could do to see if it is working? I must be really lazy, because I created the database connect file in the root directory and then placed an include file in my old database connect file to the database connect file that is now located in the root directory. Not sure if that will work though.

For example www.mysite.com/test.php contains:

<?php
include '../connect.php';
?>

############################

If http://www.mysite.com/test.php contains:

<?php
$connect = mysql_connect("host", "username", "password") or die(mysql_error());
mysql_select_db("database1",$connect) or die(mysql_error());
?>
Like it did before, how could I do a test hack of my site? I have a few websites, so I can test this using another website.

I don't do much security-test-hacking, so I couldn't really help you there. The general consensus among php security articles is that, if your scripts and host is set up correctly, then behind the web root is all but completely inaccessible to the general public - and most malicious users.

That said, let me clarify:


I created the database connect file in the root directory...

Not in your root, behind it. Your root directory might be something like /home/username/public_html/. "Behind" your root means someplace like /home/username/includes/. It's completely invisible to the public, meaning you can't type that address into your browser and find anything. You have to go through your ftp client or webhost control panel to find it.

Your example uses a relative url: "../connect.php".

You need an absolute (or root-relative) url for this, unless you never connect to your db from anywhere except your root directory, and/or depending on your server configuration. Like so: "/../connect.php", or in the case of my example in the above paragraph, "/../includes/connect.php".

What I meant is that there are two files. oldconnect.php and newconnect.php.

oldconnect.php is located in username/html/include/connect.php and contains:


<?php
include '../newconnect.php';
?>

newconnect.php is located in username/newconnect.php and contains:


<?php
$connect = mysql_connect("host", "username", "password") or die(mysql_error());
mysql_select_db("database1",$connect) or die(mysql_error());
?>

I think I just realized what you mean about relative vs absolute url. I added the following to oldconnect.php:

<?php
$thisdir = "$_SERVER[PHP_SELF]";
$thisdir = explode('/',$thisdir);
$thisdir = count($thisdir);
if($thisdir==3) include '../../newconnect.php';
else include '../newconnect.php';
?>
It's crude, but suits my needs fine.

The problem is that I am unsure if oldconnect.php, which is not located above the root, but refers to newconnect.php which does the actual database connecting and is located above the root, is safe.

uh... just to make sure I'm following you, newconnect.php (which contains the DB info) is behind the web root, correct? If so, then yes, it's good.

Also, you don't need all that code to determine which directory you're in. Try simply:

<?php
include($_SERVER['DOCUMENT_ROOT']."/../connect.php");
?>

Sorry about that. I fixed the naming errors in my previous post.

I like your code. I didn't know I could do that. My code has been updated and is now safer :)

You're welcome!