Results 1 to 17 of 17
Thread: php
-
05-24-2014, 11:15 AM #1WHT Addict
- Join Date
- Dec 2013
- Posts
- 150
php
Hi,
If I have mysql connection details (host,db,user,password) in a php file (dbconnection.php) is it possible for someone to view it or hack from it?
If so what's a way to hide or mask it?
Another question if I put the file outside public_html with permissions on it and maybe a password and link to it from the login page would that be more secure?
Cheers
-
05-24-2014, 11:24 AM #2WHT Addict
- Join Date
- May 2014
- Location
- UK / USA (California)
- Posts
- 105
You can make the file inaccessible from a web browser by adding to the .htaccess files these rules:
<Files "dbconnection.php">
deny from all
</Files>
The file still can be included in your scripts and adding the .htaccess rule above will not disable your database connections.
-
05-25-2014, 11:59 AM #3Newbie
- Join Date
- Nov 2004
- Posts
- 27
You also want to check local permissions on the file. Make sure it's not world readable.
█ Ceniks LLC
█ Offering VPS Hosting, Colocation, and Dedicated Servers
█ http://www.ceniks.com
█ OpenVZ/KVM Servers @ http://www.ceniks.com - Enterprise level OpenVZ/KVM VPS
-
05-25-2014, 01:45 PM #4Disabled
- Join Date
- Jun 2010
- Location
- US / UK / SG / IN
- Posts
- 83
If I have mysql connection details (host,db,user,password) in a php file (dbconnection.php) is it possible for someone to view it or hack from it?
-
05-25-2014, 02:33 PM #5Newbie
- Join Date
- Nov 2004
- Posts
- 27
█ Ceniks LLC
█ Offering VPS Hosting, Colocation, and Dedicated Servers
█ http://www.ceniks.com
█ OpenVZ/KVM Servers @ http://www.ceniks.com - Enterprise level OpenVZ/KVM VPS
-
06-09-2014, 07:43 AM #6New Menber
- Join Date
- Jun 2014
- Posts
- 1
We can't access database connection with HTML.
-
06-09-2014, 06:05 PM #7Web Hosting Guru
- Join Date
- Apr 2014
- Posts
- 264
-
06-09-2014, 06:52 PM #8Junior Guru Wannabe
- Join Date
- May 2013
- Posts
- 82
Unless there is errors in your file or if someone can download your PHP file, there really is no way to get the source code. Now if someone has access to your server, that is a different problem.
In most cases, and in most frameworks, config files are protected, or in a protected directory, so users can't navigate there or anything.
But again, just visiting dbconnection.php will only bring up a blank page, and you really shouldn't have any issues if you do nothing. Best practice would be to protect it using .htaccess or place it outside of the public/html directory.█ Managed Service Provider - www.OpticIP.com
█ Public & Private Cloud Solutions | SSD SANs | High IOP's | CDN Solutions
█ Phoenix/Chandler AZ Colocation | 48U Cabinets | Data Halls | TIA-942 Tier 4 Facility
-
06-09-2014, 07:10 PM #9New Member
- Join Date
- Apr 2014
- Posts
- 2
The concept of PHP is that the code is executed server-side.
This means that by nature, the front-end user is unable to see the source code.
As Tim pointed out, the only possible way to access that information would be to download that page via SSH or FTP.
-
06-09-2014, 09:17 PM #10Retired Moderator
- Join Date
- Feb 2005
- Location
- Australia
- Posts
- 5,849
The risk is that at some time in the future, typically after a failed recompilation of PHP, the webserver may be restarted misconfigured in such a way that it fails to parse PHP files. It's not a common thing but it can and does happen. Even protecting the file through directives in .htaccess could fail if the server's set up to ignore .htaccess, although the combination of misconfigurations makes this a very remote possibility.
Ultimately IMO the best method of protecting config files is simply to place them outside the public web directory but .htaccess protection is a reasonable alternative.
In any event, as already stated, if the attacker gets access to the account through ftp, ssh or an exploit on any PHP script then it's game over.Chris
"Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter
-
06-11-2014, 07:02 AM #11Temporarily Suspended
- Join Date
- Jun 2014
- Posts
- 1
When compared to other options like .ini files, xml files its always better to keep the config data in a php file. Since by default if you have configured php in apache it will only execute but will not show the data as a text output. But other file formats do. To make it secure, you can keep the file from direct access to public_html and provide a link to it from another secure path. Also make sure that you only have execute permission on the file.
-
06-11-2014, 08:56 PM #12Newbie
- Join Date
- Jan 2014
- Location
- Turkey
- Posts
- 9
Like others said, it is not readable from HTML side. However, you should always consider "What if someone is able to reach file itself." In this case, encoding the file with ioncube would be good extra security.
-
06-13-2014, 09:11 PM #13Newbie
- Join Date
- Jun 2014
- Posts
- 12
nope
Through php none can access your files unless you have not created an well encrypted password(assuming your files are reachable through some sort of permission). Not to mention the security holes leaking through your hosting provider through the server.
-
06-30-2014, 01:53 PM #14WHT Addict
- Join Date
- Jan 2013
- Posts
- 117
Most Content Management Systems (WP, Joomla, etc) keep information such as this in a php file. It is safe behind the file and folder permissions and cannot be seen through direct access. Although nothing is impervious, it is normally safe.
Think of it like your wallet laying on your kitchen table. It is safe by normal standards, but accessible should someone gain access to your house. If you need extra security keep it in a safe (or use ioncube for your code).[B]Scott M
-
07-01-2014, 10:16 AM #15Temporarily Suspended
- Join Date
- Mar 2014
- Location
- Prague
- Posts
- 132
Set up your SQL to accept connections only from IP of your webserver (or 127.0.0.1 if both SQL and webserver live on the same server)
-
07-12-2014, 04:06 PM #16Junior Guru Wannabe
- Join Date
- Nov 2012
- Posts
- 74
There's no real need for that. Plus ioncube is hackable. There's free apps online that can decrypt it.
even if you encrypt your file it don't make it bullet proof from hackers.
I myself don't encrypt my stuff on my server and it's because it makes files heavier then needed and takes more time to process.
The hackers cannot easily hack your servers. Just make sure you keep your servers up to date.
-
07-14-2014, 08:09 AM #17Aspiring Evangelist
- Join Date
- Apr 2014
- Posts
- 365
Easy method is to do not give permission to that file, make it hidden for all except admin
Similar Threads
-
nginx + php-fpm + debian squeeze tutorial - the fastest way to host php!
By AltruHost in forum VPS TutorialsReplies: 33Last Post: 07-25-2011, 01:01 PM -
PHP: Custom WHMCS billing gateway or PHP script - API included
By omega36 in forum Employment / Job OffersReplies: 1Last Post: 11-29-2007, 03:01 PM -
php safe_mode on and /usr/lib/php/DB.php error - pear
By nand in forum Hosting Security and TechnologyReplies: 1Last Post: 05-03-2005, 02:44 AM -
[For sale] Interspire WebEdit Pro PHP and SendStudio 2004 PHP
By Arlanda in forum Other Offers & RequestsReplies: 1Last Post: 01-25-2005, 03:13 PM