[artisites]

I currently have a simple php script to read in blog posts from a mysql database.

At the top there is

var $host = "localhost";
var $user = "";
var $pass = "";
var $db = "";

then later in the script there are lots of bits like this

function getCategories(){
		$sql = "SELECT id, name, DATE_FORMAT(date, '".$this->date_format."') as newdate FROM ".$this->table_pre."categories AS categories ORDER BY id";
		$items = mysql_query($sql) or die("Database Error: ".mysql_error());
		
		while ($obj = mysql_fetch_object($items)) {
        	$array[$obj->id]['id'] = $obj->id;
            $array[$obj->id]['name'] = $obj->name;
			$array[$obj->id]['newdate'] = $obj->newdate;
        }
		
		mysql_free_result($items);
		
		return $array;

Are there any simple steps i can take to make this a bit safer? Some scripts I've used before use pear library with a db-connect include, I'm just thinking it may be wise to go down this route, but I think it would be quite a task to redo the whole script.

Is it safer if I extract the db name and pw to an include outside of the public html root?

[webdesigner93]

artisites, on 10 January 2012 - 12:03 AM, said:

I currently have a simple php script to read in blog posts from a mysql database.

At the top there is

var $host = "localhost";
var $user = "";
var $pass = "";
var $db = "";

then later in the script there are lots of bits like this

function getCategories(){
		$sql = "SELECT id, name, DATE_FORMAT(date, '".$this->date_format."') as newdate FROM ".$this->table_pre."categories AS categories ORDER BY id";
		$items = mysql_query($sql) or die("Database Error: ".mysql_error());
		
		while ($obj = mysql_fetch_object($items)) {
        	$array[$obj->id]['id'] = $obj->id;
            $array[$obj->id]['name'] = $obj->name;
			$array[$obj->id]['newdate'] = $obj->newdate;
        }
		
		mysql_free_result($items);
		
		return $array;

Are there any simple steps i can take to make this a bit safer? Some scripts I've used before use pear library with a db-connect include, I'm just thinking it may be wise to go down this route, but I think it would be quite a task to redo the whole script.

Is it safer if I extract the db name and pw to an include outside of the public html root?

mm u dont need to use var infront of your variables, you can just do

$host = "localhost";
$user = "";
$pass = "";
$db = "";

[artisites]

ok cool, but assuming the rest of the file is secure is it possible for someone to get at those details in the php file?

should i home them outwith the public html folder?

[Olavi]

artisites, on 11 January 2012 - 10:00 PM, said:

should i home them outwith the public html folder?

Store secure data outside public folder and include it where you need it.

[webdesigner93]

artisites, on 11 January 2012 - 10:00 PM, said:

ok cool, but assuming the rest of the file is secure is it possible for someone to get at those details in the php file?

should i home them outwith the public html folder?

theres a little trick u can do to prevent direct access to these files, like this

<?php
//Deny direct access to this file
if(!defined('ALLOW_ACCESS')){die('No direct access allowed');}
//Db details
$host = "localhost";
$user = "";
$pass = "";
$db = "";
?>

then with in any file u include those details in u put this line above the file include

define('ALLOW_ACCESS',true);

you also can deny direct access to folders by placing a blank index.html file in each folder

This post has been edited by webdesigner93: 11 January 2012 - 10:34 PM

[Samus]

They wouldn't even be able to see the connection details anyway if you're just assigning them to a variable. They'd have to be echo'ed first.

[webdesigner93]

Samus, on 12 January 2012 - 12:59 AM, said:

They wouldn't even be able to see the connection details anyway if you're just assigning them to a variable. They'd have to be echo'ed first.

u would be supprised what hackers can do

[gadgetgirl]

webdesigner93, on 11 January 2012 - 10:32 PM, said:

theres a little trick u can do to prevent direct access to these files, like this

<?php
//Deny direct access to this file
if(!defined('ALLOW_ACCESS')){die('No direct access allowed');}
//Db details
$host = "localhost";
$user = "";
$pass = "";
$db = "";
?>

then with in any file u include those details in u put this line above the file include

define('ALLOW_ACCESS',true);

you also can deny direct access to folders by placing a blank index.html file in each folder

this looks like a good security trick to try - thanks for posting

[rallport]

webdesigner93, on 11 January 2012 - 10:32 PM, said:

theres a little trick u can do to prevent direct access to these files, like this

<?php
//Deny direct access to this file
if(!defined('ALLOW_ACCESS')){die('No direct access allowed');}
//Db details
$host = "localhost";
$user = "";
$pass = "";
$db = "";
?>

then with in any file u include those details in u put this line above the file include

define('ALLOW_ACCESS',true);

you also can deny direct access to folders by placing a blank index.html file in each folder

Don't see the point in that tbh. It takes seconds to place a file outside the web root and reference that location instead.

[webdesigner93]

rallport, on 12 January 2012 - 01:44 PM, said:

Don't see the point in that tbh. It takes seconds to place a file outside the web root and reference that location instead.

True, its just a preference of mine i guess

This post has been edited by webdesigner93: 12 January 2012 - 09:21 PM