Professional Web Applications Themes

Hiding MySQL username and password - MySQL

Ok, I am a newbie. But now I have tried everything. My quest is to put the MySQL host name, user name, password, databasename and table-name in a separate file outside our web domain and call these variables via include (into my PHP-file). But it wont work! The path & diectories are all fine, the PHP script works perfect (at last before I decided to move this critical information). This is the script: <?php //starts here... include ("/home/secret/protect/the_imported_mysqldata.inc"); $link=LinkUp($host,$username,$password)or die("Cant connect"); mysql_select_db($db_name)or die("cant choose db"); $sql="SELECT secret_variable FROM $tbl_name WHERE username='$username' AND password='$password'"; $result=mysql_query($sql); (and so on) here is the ...

  1. #1

    Default Hiding MySQL username and password

    Ok, I am a newbie. But now I have tried everything. My quest is to put
    the MySQL host name, user name, password, databasename and table-name
    in a separate file outside our web domain and call these variables via
    include (into my PHP-file).
    But it wont work! The path & diectories are all fine, the PHP script
    works perfect (at last before I decided to move this critical
    information).

    This is the script:
    <?php //starts here...
    include ("/home/secret/protect/the_imported_mysqldata.inc");
    $link=LinkUp($host,$username,$password)or die("Cant connect");
    mysql_select_db($db_name)or die("cant choose db");

    $sql="SELECT secret_variable FROM $tbl_name WHERE username='$username'
    AND password='$password'";
    $result=mysql_query($sql);

    (and so on)

    here is the included "the_imported_mysqldata.inc":
    <?php
    $host="the.secret.host";
    $username="secret_as_stone";
    $password="very_secret";
    $db_name="secret_db";
    $tbl_name="the_actual_table";

    function LinkUp($host,$username,$password)
    {
    $mysql_link=mysql_connect($host,$username,$passwor d);
    return $mysql_link;
    }
    ?>

    What have I done wrong? Please??

    Nosferatum Guest

  2. #2

    Default Re: Hiding MySQL username and password

     

    What happens if you use the require statement instead of include? If it
    still does not want to connect, but does include the file, try using the
    $GLOBALS array (like: $GLOBALS['host'] = 'the.secret.host';).

    Best regards,
    --
    Willem Bogaerts

    Application smith
    Kratz B.V.
    http://www.kratz.nl/
    Willem Guest

  3. #3

    Default Re: Hiding MySQL username and password


    "Nosferatum" <com> wrote in message
    news:googlegroups.com... 


    I am probably mistaken, but do you need to have "<?php" and "?>" in the
    include file, as the file will be included within a section of code that's
    already wrapped in the start/end php codes?



    Sean Guest

  4. #4

    Default Re: Hiding MySQL username and password

    On Mar 28, 4:23 pm, "Sean" <sean.anderson[nospam]oakleafgroup.biz>
    wrote: 






    >
    > I am probably mistaken, but do you need to have "<?php" and "?>" in the
    > include file, as the file will be included within a section of code that's
    > already wrapped in the start/end php codes?[/ref]

    Yes you are - and yes you do! Correct me if I'm wrong but I think the
    file server also needs permission to read the folder in which the
    include is buried.
    I know nothing whatsoever about security but I would have thought that
    just putting the includes in a folder just outside the htdocs path
    would be safe enough.

    The folder would not need to be called anything like 'include'.
    Likewise, I think the file can have any extension you care to give it

    strawberry Guest

  5. #5

    Default Re: Hiding MySQL username and password

    strawberry wrote: [/ref][/ref]
     
    Um.
     

    The problem is that the web server, usually Apache, runs CGI programs
    as user "nobody". It can't read your non-public files. If you
    make the password file readable by any user,
    anybody else on the machine can read it, which is terrible in shared
    server environments.

    John Nagle
    John Guest

  6. #6

    Default Re: Hiding MySQL username and password

    On Mar 28, 9:00 pm, John Nagle <com> wrote: 
    > [/ref]
    > [/ref]

    > > I know nothing whatsoever about security[/ref]
    >
    > Um.


    >
    > The problem is that the web server, usually Apache, runs CGI programs
    > as user "nobody". It can't read your non-public files. If you
    > make the password file readable by any user,
    > anybody else on the machine can read it, which is terrible in shared
    > server environments.
    >
    > John Nagle[/ref]

    So what's the correct solution?

    strawberry Guest

  7. #7

    Default Re: Hiding MySQL username and password

    On 28 Mar 2007 13:19:00 -0700, strawberry wrote: 
    >> 
    >> 
    >> 
    >>
    >> Um.
    >> 
    >> 
    >>
    >> The problem is that the web server, usually Apache, runs CGI programs
    >> as user "nobody". It can't read your non-public files. If you
    >> make the password file readable by any user,
    >> anybody else on the machine can read it, which is terrible in shared
    >> server environments.
    >>
    >> John Nagle[/ref]
    >
    > So what's the correct solution?[/ref]

    Secure the web machine as well as possible, secure the databsae as well as
    possible on a different machine, and make sure the functional ID (that
    the CGI uses to connect to the database has only the access to the
    database that is actually needed to accomplish the task at hand. In some
    cases, that might be fun things things like the ID having only INSERT
    access to some tables, and SELECT from others. Have other IDs used for
    maintaining the database. That's the real bit: Your webserver should be
    trusted no more than you can possibly managed.

    --
    14. The hero is not entitled to a last kiss, a last cigarette, or any other
    form of last request.
    --Peter Anspach's list of things to do as an Evil Overlord
    Peter Guest

Similar Threads

  1. username and password
    By ahamma in forum Macromedia Contribute Connection Administrtion
    Replies: 1
    Last Post: April 4th, 06:34 AM
  2. password/username
    By btforres in forum Dreamweaver AppDev
    Replies: 4
    Last Post: March 30th, 12:03 AM
  3. Username, Password, Pin
    By djmasala.com in forum Macromedia Director Basics
    Replies: 0
    Last Post: November 7th, 01:04 AM
  4. Username and password
    By Harmannus in forum Microsoft Access
    Replies: 5
    Last Post: September 10th, 05:16 PM
  5. mysql allows blank username and password
    By Phil W in forum PHP Development
    Replies: 2
    Last Post: September 7th, 12:49 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139