Secure Database Connection Page (db.php)

Discussion in 'PHP' started by almondj, Apr 21, 2010.

0
  1. #1
    Say we have db.php in the root directory where we connect to the DB.

    <?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
?>
    PHP:
    The information is sitting naked in this file, so how could I and users go about securing this file? I think it's kinda not safe having this information in the basic code. Or am I wrong? Can chmods make it more secure, moving the file out of the root directory? some sort of encryption method?

    Thanks!
     
    almondj, Apr 21, 2010 IP
  2. danx10

    danx10 Peon

    Messages:
    1,179
    Likes Received:
    44
    Best Answers:
    2
    Trophy Points:
    0
    #2
    It's secure, as its a .php file which means the code is not readable to visitors, only to you (and to whoever has access to your hosting/server such as your host?)

    Chmod's won't make a difference as the file where the code resides to can be accessed, but the code can't, so whether you modify the write privelages etc. won't make a difference. Moving the code outside of the directory will disable visitors from visiting the file such as yourdomain/db.php (but they cant see the code) so won't be any significant difference.

    I would'nt worry about it.

    Also I suggest trigger_error() over die()
     
    danx10, Apr 21, 2010 IP
  3. Cloud Computing Forum

    Cloud Computing Forum Guest

    Messages:
    55
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Also I suggest trigger_error() over die() - I guess that would depend if the rest of the application requires the DB connection or not, if it does I would use die with an error not, or trigger an exception.

    If you worried about people accessing your file you could move it outside of the public directory, change open_base_dir to none in your apache config and just call it from outside the root, however you people cant really view the code anyway. The other option is encryption such as IonCube
     
    Cloud Computing Forum, Apr 21, 2010 IP
  4. Silver89

    Silver89 Notable Member

    Messages:
    2,243
    Likes Received:
    72
    Best Answers:
    0
    Trophy Points:
    205
    #4
    I've only seen a security issue once with php files but the person running the site wasn't too tech savy, the issue they had was that if the apache went down on the server then instead of running the php it simply included it on page as text, as the site was phpbb based it was pretty simple to locate admin passwords etc.

    Ensure nothing like this happens and your pretty safe.
     
    Silver89, Apr 21, 2010 IP
  5. Brandon.Add.On

    Brandon.Add.On Peon

    Messages:
    178
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #5
    If apache goes down then the entire server goes down and no files would be viewable. The reason the PHP file was showing was that the PHP server went down or wasn't configured properly.
     
    Brandon.Add.On, Apr 21, 2010 IP
  6. almondj

    almondj Peon

    Messages:
    768
    Likes Received:
    11
    Best Answers:
    1
    Trophy Points:
    0
    #6
    The above probably won't happen. Thanks for the suggestions everyone!
     
    almondj, Apr 22, 2010 IP