php mySQL Connection

Totally off topic but I suspect there may be some web developer pro’s on here. I want to connect to a mySQL database on my web server. I see an example connection code is:


<?php
// Create connection
$con=mysqli_connect("example.com","peter","abc123","my_db");

// Check connection
if (mysqli_connect_errno($con))
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

Is this not a little insecure having a username and password in a php file on the server. How do I make this secure or is it?

That data is never transmitted to the client… so a “hacker” would have to gain direct access to the server and download the file with that data in it…

this is the “canned” code I use for all my PHP projects (this code resides in an INCLUDE file that is the header of every page)


function error_db($msg)
{
   $x=mysql_error();
   exit("$msg<br>An error has occurred : $x");
}
//
function connect_db()
{
   global $mySQL_host,$mySQL_database,$mySQL_username,$mySQL_password;
   $connection = mysql_connect("$mySQL_host","$mySQL_username","$mySQL_password");
   if (!$connection)
   {
      error_db("Could not connect to $mySQL_database ");
      return(false);
   }
   return(true);
}
//
function select_db()
{
   global $mySQL_database;
   if (connect_db())
   {
      if (mysql_select_db($mySQL_database)) return(true);
      error_db("Unable to select database : $mySQL_database");
   }
   return(false);
}
//
function execute_query($SQL)
{
   $results=mysql_query($SQL);
   if (!$results)
   {
      error_db("SQL Statement : $SQL");
      return(false);
   }
   return($results);
}

Thanks Dave. I am not that up to speed on the Web and security issues. Couldn’t a hacker just navigate to the folder where the above include file is stored, open it and read it? OR is that what my .htaccess file stops them doing. Does .htaccess completely stop access to browsing folders?

are you going to leave you directory structure wide open?
If you have an INDEX.HTML -OR- INDEX.PHP that will stop anyone (usually) from seeing and there being able to download the files
which is why it is a good idea to ALWAYS put an INDEX.HTML file (at least) in every directory

Not saying that is bullet proof… but its a decent flak jacket.

No, not leaving it open. I have a htaccess file in my root with the flag -noindexes set which I understand stops directory listings regardless of whether or not I have index.htm/index.php file?

Thanks for the above code anyway Dave, I will use that. I am just conscious about security and not really sure the best way to keep it all watertight.

Most of the time a file with a .php extension, the client can’t see the source code (if php is installed into apache) , only the outcome. But to minimize the risk, make sure you don’t allow directory browsing on those folders. As developers sometimes makes mistake by creating a backup file with a different extension in same folder, and then a user would be able to see the source code. Like config.php.backup, config.php.1 or config.php-2013-July

If you allow directory browsing users would be able to see all your files, and if they click on “config.php-2013-july” they will be able to see the source code.

But even if you disallow directory browsing, it will not stop a evil hacker for trying to find redundant files on your system with different extension. But it will minimize the risk.

That’s why you you sometimes see in your log files:
Get /config.php.bck
Get /config.php.old
Get /config.php.1
and so on

Remember that!
An evil hack will in most cases be able to get into the system if they want to. It’s only question of how much time it takes.
So our goal is to slow the evil hacker down so we have time enough to prevent they compromise all our systems.

So make sure you design your security as an onion and not like a coconut

Thanks for the tip. I have directory browsing disallowed. Ill remember not to use alternate extensions. Thanks