Hey everyone, I was taking a look through one of my websites that uses a database connection and I realized that I was storing the database login criteria in connection.php file within the public_html folder on my server. I realized that this is probably not a very good idea. So I proceeded to create a file called Constants.php that I stored outside the public_html folder. The Constants.php file looks something like: <?php //Database Information define('SERVER','localhost'); define('USERNAME','******'); define('PASSWORD','******'); define('DATABASE','******'); ?> PHP: I then proceeded to update my connection.php file, which is stored in /public_html/includes, to the following: <?php require_once('../../Constants.php'); $link = mysql_connect(SERVER, USERNAME, PASSWORD); if (!$link) { die('Could not connect: ' . mysql_error()); } mysql_select_db(DATABASE); ?> PHP: Once uploaded I get a 500 server error and the browser says "The server encountered an internal error or misconfiguration and was unable to complete your request." Any thoughts on why this is happening? Thanks in advance.
You cannot include files outside the public_html area. It is a common practice to store connection details in connection.php file, but if you are afraid, you may create a folder "music" for example and a readme.php file for example inside it, with connection details.
I am not sure that is strictly true. I was doing some tinkering and created a file called test.php which is located in the same folder as connection.php <?php require_once('../../Constants.php'); echo SERVER."<br/>"; ?> PHP: When I navigate to that file on my server the browser shows the correct information. This leads me to believe it is a problem because I am requiring the connection.php file into other files such as index.php I am aware of this, however first there is always the chance that it doesnt get processed properly and therefore shows up. Second although this is not necessary I am fine with leaving the file as it, I am more just trying to solve it since it is bugging.
This is another example of unnecessary worrying. Having connections.php in your public_html folder isn't going to ever show the source to your traffic unless YOU configure your web server to. So stop worrying. If you want to give yourself peace of mind create a folder called "public_html/private" then in "private" create a .htaccess with "deny from all" and place your Connections.php file there.
I'd be more worried about storing them using define than I would the file location -- since that means any script that gets elevated would then have access to the database! I realize turdpress does it that way, but there's a reason it won that pwnie back in 2008... that reason being it's devs wouldn't know security if it stripped naked, painted itself purple and hopped up on a table to sing "Oh look at what private scope I am". But then there's a reason I build with the "one index to rule them all" method, and then have my dbsettings.php throw if it's not called DIRECTLY by the index.php... and then once I have a database connection in private scope of a object, unset the database connection info and define a tempvar that if set, also makes the dbsettings file and/or the defining function throw. I mean seriously -- the most important security information in the system, and you're going to define it in global space in a way that can't be unset until execution ends? Think about just how COLOSSALLY STUPID that is! It's no wonder that when systems that use said method get a code elevation hack they're pretty much 100% pwned. Bad enough when a elevation can modify files you were dumb enough to make 777 or 755, without having the entire database wide open too!
(IMHO) Sounds like you are solving a problem that is not a problem. A file at the server with a php extension and no code to generate browser output will not show anything on the browser even if the hacker guessed the name of it. If they can access that file, you have bigger problems since they somehow have access to your server. If you really wanted to hide things you could use something like ioncube. That might be a little overkill beyond normal precautions and good coding practices.