php crew - need simple php logic help

Discussion in 'OT Technology' started by Leb_CRX, Apr 13, 2006.

  1. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    good day

    I got a few questions regarding security, php and mysql.

    basically I know I can put database connect info (server, login, pass) in any php file and that works fine..but is that ideal for security purposes? to me seems like it might not be, but I am not sure

    my last place of work the PHP Developers had a /config.php file that resided outside of the root directory of the web server (example if server is /var/www/html) we would have it /var/www/master/config.php) and that worked fine and seemed to be very secure, but I can't find any info online about it, not sure if that was a 'custom' thing the guys developed...inside the config file they'd have everything and would 'require' it at the top of ever page, granting access using a .htaccess file

    now I wnat to know how y'all do it? do you guys just put it in the root of the php file, or does it reside in another file you call upon, or does it reside outside of the root of the web folder altogether or something else?
     
  2. chips

    chips ...

    Joined:
    May 2, 2004
    Messages:
    3,755
    Likes Received:
    0
    Location:
    Phoenix, AZ
    When I did my coding I had a db.inc.php file that I included in to the config.php file. And I including the config.php file in every page.
     
  3. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    where does the config.php and the db.inc.php reside? somewhere the web server has access to or outside it's scope?

    thanks
     
  4. RyanL

    RyanL OT Supporter

    Joined:
    Nov 30, 2004
    Messages:
    4,584
    Likes Received:
    0
    Location:
    St. Paul, MN
    where ever you want it to... they are files that you make yourself usually for making things easier...

    for instance you could make a file dbConnect.inc and have the file be php for connecting to your database... that way whenever you want to connect to your database simple call an include to that file... comes in real handy if your database username or password changes, you only have one place you need to change it then as opposed to every page
     
  5. chips

    chips ...

    Joined:
    May 2, 2004
    Messages:
    3,755
    Likes Received:
    0
    Location:
    Phoenix, AZ
    If you just name your file dbconnect.inc make sure you webserver uses .inc files for php files also by default apache reads these as text so if somone guessed the path in the htdocs folder they could read your passwords and such. So, make sure you have .inc as a nother ext. for PHP or just use .php just to be safe....

    Just my 2 cents
     
  6. kingtoad

    kingtoad OT Supporter

    Joined:
    Sep 2, 2003
    Messages:
    55,924
    Likes Received:
    11
    Location:
    Los Angeles
    It is fairly secure on the web application side as long as the variables cannot be modified by end users. However, server security may differ.
     
  7. dk01

    dk01 Awwwwww..... OT Supporter

    Joined:
    Mar 1, 2005
    Messages:
    3,178
    Likes Received:
    0
    Location:
    All up in your interwebsnet.
    I use this:

    db.php
    PHP:
    <?php

    class DB {
     
      var 
    $ident;
      var 
    $sql = array('host'=>'MYSQLHOST','user'=>'MYSQLUSERNAME','pass'=>'MYSQLPASSWORD','db'=>'MYSQLDATABASE');
     
      function 
    connect ()
      {
         
    // Connect to MySQL
         
    $this->ident mysql_connect($this->sql['host'], $this->sql['user'], $this->sql['pass']);
      
         
    // Select assigned DB
         
    if (!mysql_select_db($this->sql['db'])) {
           die(
    "Could not connect to DB");
         }
      }

      function 
    disconnect ()
      {
         
    // Close the connection
         
    if (!mysql_close($this->ident)) {
           die(
    "Could not close DB");
         }
      }

    }

    ?>
    This uses persistent connections and also I always use require_once() instead of include() to stop multiple instances of the same file being opened. So my php file would be:

    PHP:
    <?php require_once("/path/to/db.php")

    $conn = new DB();
    $conn->connect();

    // now that we are connected we can do any mysql operations here.

    ?>
     
  8. chips

    chips ...

    Joined:
    May 2, 2004
    Messages:
    3,755
    Likes Received:
    0
    Location:
    Phoenix, AZ

    True but they could still see your mysql password if they can veiw the code of an inc file
     
  9. kingtoad

    kingtoad OT Supporter

    Joined:
    Sep 2, 2003
    Messages:
    55,924
    Likes Received:
    11
    Location:
    Los Angeles
    Like I said, it is fairly secure on the web application side as long as the variables cannot be modified by the end user. If they have access to that file then they might as well say they have root.
     
  10. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    place the .inc file outside of the web-root. If they end up getting to it, your mysql password will be the last of your worries -- you're screwed with everything else.
     
  11. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    ok cool, thanks a lot guys
     

Share This Page