Global Moderator
database security question
I've been thinking of security questions lately, but I am not too worried. I have been rather careful with my data thus far.
Let's say that someone were to know the address for my database connect file. The file is simple with:
Should this be better protected?PHP Code:<?php
$connect = mysql_connect("host", "username", "password") or die(mysql_error());
mysql_select_db("database1",$connect) or die(mysql_error());
?>
Last edited by james438; 03-14-2010 at 05:28 AM.
To choose the lesser of two evils is still to choose evil. My personal site
global $Moderator;
you can store your DB connection file behind your web root directory. Your pages will still be able to include() it, but it will be inaccessible to the general public:
PHP Code:include($_SERVER['DOCUMENT_ROOT'].'/../includes/database.php');
Global Moderator
What is a good test I could do to see if it is working? I must be really lazy, because I created the database connect file in the root directory and then placed an include file in my old database connect file to the database connect file that is now located in the root directory. Not sure if that will work though.
For example www.mysite.com/test.php contains:
############################PHP Code:<?php
include '../connect.php';
?>
If http://www.mysite.com/test.php contains:
Like it did before, how could I do a test hack of my site? I have a few websites, so I can test this using another website.Code:<?php $connect = mysql_connect("host", "username", "password") or die(mysql_error()); mysql_select_db("database1",$connect) or die(mysql_error()); ?>
Last edited by james438; 03-14-2010 at 03:39 AM.
To choose the lesser of two evils is still to choose evil. My personal site
global $Moderator;
I don't do much security-test-hacking, so I couldn't really help you there. The general consensus among php security articles is that, if your scripts and host is set up correctly, then behind the web root is all but completely inaccessible to the general public - and most malicious users.
That said, let me clarify:
Not in your root, behind it. Your root directory might be something likeOriginally Posted by james438
/home/username/public_html/. "Behind" your root means someplace like/home/username/includes/. It's completely invisible to the public, meaning you can't type that address into your browser and find anything. You have to go through your ftp client or webhost control panel to find it.
Your example uses a relative url:"../connect.php".
You need an absolute (or root-relative) url for this, unless you never connect to your db from anywhere except your root directory, and/or depending on your server configuration. Like so:"/../connect.php", or in the case of my example in the above paragraph,"/../includes/connect.php".
Global Moderator
What I meant is that there are two files. oldconnect.php and newconnect.php.
oldconnect.php is located in username/html/include/connect.php and contains:
newconnect.php is located in username/newconnect.php and contains:PHP Code:<?php
include '../newconnect.php';
?>
I think I just realized what you mean about relative vs absolute url. I added the following to oldconnect.php:PHP Code:<?php
$connect = mysql_connect("host", "username", "password") or die(mysql_error());
mysql_select_db("database1",$connect) or die(mysql_error());
?>
It's crude, but suits my needs fine.PHP Code:<?php
$thisdir = "$_SERVER[PHP_SELF]";
$thisdir = explode('/',$thisdir);
$thisdir = count($thisdir);
if($thisdir==3) include '../../newconnect.php';
else include '../newconnect.php';
?>
The problem is that I am unsure if oldconnect.php, which is not located above the root, but refers to newconnect.php which does the actual database connecting and is located above the root, is safe.
Last edited by james438; 03-14-2010 at 05:23 AM. Reason: fixed some naming errors
To choose the lesser of two evils is still to choose evil. My personal site
global $Moderator;
uh... just to make sure I'm following you, newconnect.php (which contains the DB info) is behind the web root, correct? If so, then yes, it's good.
Also, you don't need all that code to determine which directory you're in. Try simply:
PHP Code:<?php
include($_SERVER['DOCUMENT_ROOT']."/../connect.php");
?>
james438 (03-14-2010)
Global Moderator
Sorry about that. I fixed the naming errors in my previous post.
I like your code. I didn't know I could do that. My code has been updated and is now safer
To choose the lesser of two evils is still to choose evil. My personal site
global $Moderator;
Posting Permissions
Reply With Quote
Bookmarks