Hudzilla.org - the homepage of Paul Hudson
Contents > Security concerns > Programming secure PHP Wish List | Report Bug | About Me ]

17.1.8     Restrict PHP database access

This is NOT the latest copy of this book; click here for the latest version.

Chances are that most if not all of your scripts need database access to operate, which gives you two options: write database connection code into each of your scripts, or write it into just one script and link all your pages to that one. It is easy to place files outside of your public web directory, which means it is much easier to place all connection code into one file then place it in a secure location. If you place your connection code into each file, you are increasing the likelihood of your connection details getting out - all it would take is one page to be hacked.

There is, however, a third option that can sometimes be better: placing your connection details inside your php.ini file. If you do not supply connection details to mysql_connect(), PHP will use the values set in your php.ini file, which means you do not need to store your username and password information in your scripts any more. At first this might sound perfect, but it has major security implications of its own:

  • Anyone with access to your php.ini can read the values direct from the file

  • Anyone with the ability to put scripts on your server can use the ini_get() function to read the value from your php.ini file

If you firmly believe you are safe from these two, go ahead and use your php.ini file





<< 17.1.7 Restrict general database access   17.1.9 Denial of service >>
Table of Contents
 Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.



My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
Top-right shadow
 
Bottom-left shadow Bottom shadow

Comments from other readers
web hostee again - 06 Sep 2008
if you're using web hosting instead of your own server, you probably won't be able to access the php.ini file. this leaves you with the better of the first two options (which i gather is to put the database connection script into a single securely located file to be included in all the other files)



Add comment
Please note that by posting a comment here you are committing it to the public domain. This is important so that others can make use of your code themselves, and also so that I can incorporate helpful notes directly into the main text. Comments are limited to 2000 characters in length.

If you are reporting an error in the content, please tell me directly.

Your name/email address:
Your comment:
 
Now, in order to verify that you're a real person, please answer this simple question: what is ten plus four?
The answer is:
(please write in
numbers, eg 19)


Top-right shadow
 
Bottom-left shadow Bottom shadow

This website and its content is copyright © Paul Hudson 2005, all rights reserved.