I want to hide the mysql log in info so site visitors can not see them if something wrong happened with the server configuration and it didn't parse the php files, I thought of having this info in a file outside of the public_html. How can I include it without showing my user name in a path? (i.e. I have to type something link: include("/home/myUserName/private/connection.php"); So, visitors could know my hosting user name if -for some reason- the server didn't parse the php files.
Hi there, Well I believe there are several ways of doing this so I'll just mention a couple: If possible, put your includes directory outside the public_html folder so it can't be reached from Internet. That way you could do something like include("/some/folder/outside/public_html/database.inc"); You can also password-protect your includes folder so no one can have access to it unless they're an authorized user. Only you could have access to that folder so you won't have any security issues. Last but probably best: encrypt your php files. That way no matter what happens no one could get your credentials. Ioncude is a great tool for this (Warning: once you have encrypted your php scripts with Ioncube you can't undo these changes!) Hope that helps!
If I do that, can I include the without typing my hosting user name in the include path like this: include(home/MyUserName/private/database.inc) ? P.S. I've found password protecting folders the best option, Thank you for your help.
Depending on your setup, you might consider looking at the [mysql] section of php.ini [MySQL] ; Default port number for mysql_connect(). If unset, mysql_connect() will use ; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the ; compile-time value defined MYSQL_PORT (in that order). Win32 will only look ; at MYSQL_PORT. mysql.default_port = ; Default socket name for local MySQL connects. If empty, uses the built-in ; MySQL defaults. mysql.default_socket = ; Default host for mysql_connect() (doesn't apply in safe mode). mysql.default_host = ; Default user for mysql_connect() (doesn't apply in safe mode). mysql.default_user = ; Default password for mysql_connect() (doesn't apply in safe mode). ; Note that this is generally a *bad* idea to store passwords in this file. ; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password") ; and reveal this password! And of course, any users with read access to this ; file will be able to reveal the password as well. mysql.default_password = Code (markup):
Change user permissions on your folder So that it cant be read by users Which will redirect them to a: Forbidden You dont have access to this page. It's sometimes funny how many forget this. Many sites store their images in folders called 'images' . That cliche' has been around as long as webmasters started making static 4 page HTML sites. Lots of times they'll also have 'temp' and even 'user' folders. Many times those fall in second level. So if you go to a site and type http://www.(their site name here).com/images or users, etc. If they didnt set the permissions, it'll show you their (most times) Apache list of stuff Any site you go to will show the folder names.. even in long string like example of http://www.somesite.com/users/fancy_section/images etc .. plug in any of those like: http://www.somesite.com/users or http://www.somesite.com/users/fancy_section or http://www.somesite.com/users/fancy_section/images and if they didnt set permissions - you can see it biggest mistake of new programmers is when they have their MySql database connect files in a folder and they dont set persmisisons. Because if that folder opens and shows the script - the script will have your DB passwords and usernames. Once somebody has that, they're in your database passively checking out all your users , etc etc. Passive is work than attack, because if they attacked your site just to be a putz , you'd instantly know about it when your site goes down. Competition sites wont do that - they'l ljust let you act as a master and slave system..going out to draw in more users - while they take them and plot some master plan of 'bigger and better' site release. Yeah its crappy, thats why I'm tellin you about it - How to change permissions? = logon to your Webhost and check the permissions on the folders. they will by default by something like 644 change it so users and world etc cant read That should give them the:Forbidden! wtf you think youre doing?! .. lol