hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : php
Reply

Forum Jump

php

Reply Post New Thread In Programming Discussion Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
WHT Addict
 
Join Date: Dec 2013
Posts: 117

php


Hi,

If I have mysql connection details (host,db,user,password) in a php file (dbconnection.php) is it possible for someone to view it or hack from it?

If so what's a way to hide or mask it?

Another question if I put the file outside public_html with permissions on it and maybe a password and link to it from the login page would that be more secure?

Cheers



Sponsored Links
  #2  
Old
Junior Guru Wannabe
 
Join Date: May 2014
Location: UK / USA (California)
Posts: 66
You can make the file inaccessible from a web browser by adding to the .htaccess files these rules:

<Files "dbconnection.php">
deny from all
</Files>

The file still can be included in your scripts and adding the .htaccess rule above will not disable your database connections.

  #3  
Old
Newbie
 
Join Date: Nov 2004
Posts: 27
You also want to check local permissions on the file. Make sure it's not world readable.

__________________
█ Ceniks LLC
█ Offering VPS Hosting, Colocation, and Dedicated Servers
http://www.ceniks.com
█ OpenVZ/KVM Servers @ http://www.ceniks.com - Enterprise level OpenVZ/KVM VPS

Sponsored Links
  #4  
Old
Junior Guru Wannabe
 
Join Date: Jun 2010
Location: US / UK / SG / IN
Posts: 84
Quote:
If I have mysql connection details (host,db,user,password) in a php file (dbconnection.php) is it possible for someone to view it or hack from it?
This is how all opensource applications/cms out there save db connection info, i.e. save it in a .php file. Of course, you need to make sure that the permissions are proper. If you are so concerned about the mysql connection details in that file, maybe you should encode it using Ioncube.

  #5  
Old
Newbie
 
Join Date: Nov 2004
Posts: 27
Quote:
Originally Posted by Server Adminz View Post
If you are so concerned about the mysql connection details in that file, maybe you should encode it using Ioncube.
I wouldn't bother with that. Just set the permissions to 600 on the file & you'll be good to go.

__________________
█ Ceniks LLC
█ Offering VPS Hosting, Colocation, and Dedicated Servers
http://www.ceniks.com
█ OpenVZ/KVM Servers @ http://www.ceniks.com - Enterprise level OpenVZ/KVM VPS

  #6  
Old
New Menber
 
Join Date: Jun 2014
Posts: 1
We can't access database connection with HTML.

  #7  
Old
WHT Addict
 
Join Date: Apr 2014
Posts: 107
Quote:
Originally Posted by joshaidan View Post
We can't access database connection with HTML.
Yes that's true.

  #8  
Old
Junior Guru Wannabe
 
Join Date: May 2013
Posts: 77
Unless there is errors in your file or if someone can download your PHP file, there really is no way to get the source code. Now if someone has access to your server, that is a different problem.

In most cases, and in most frameworks, config files are protected, or in a protected directory, so users can't navigate there or anything.

But again, just visiting dbconnection.php will only bring up a blank page, and you really shouldn't have any issues if you do nothing. Best practice would be to protect it using .htaccess or place it outside of the public/html directory.

__________________
Managed Service Provider - www.OpticIP.com
Public & Private Cloud
Solutions | SSD SANs | High IOP's | CDN Solutions
Phoenix/Chandler AZ Colocation | 48U Cabinets | Data Halls | TIA-942 Tier 4 Facility


  #9  
Old
New Member
 
Join Date: Apr 2014
Posts: 2
The concept of PHP is that the code is executed server-side.
This means that by nature, the front-end user is unable to see the source code.

As Tim pointed out, the only possible way to access that information would be to download that page via SSH or FTP.

  #10  
Old
Community Liaison 2.0
 
Join Date: Feb 2005
Location: Australia
Posts: 5,825
Quote:
Originally Posted by TimOpticIP View Post
Unless there is errors in your file or if someone can download your PHP file, there really is no way to get the source code.
The risk is that at some time in the future, typically after a failed recompilation of PHP, the webserver may be restarted misconfigured in such a way that it fails to parse PHP files. It's not a common thing but it can and does happen. Even protecting the file through directives in .htaccess could fail if the server's set up to ignore .htaccess, although the combination of misconfigurations makes this a very remote possibility.

Ultimately IMO the best method of protecting config files is simply to place them outside the public web directory but .htaccess protection is a reasonable alternative.

In any event, as already stated, if the attacker gets access to the account through ftp, ssh or an exploit on any PHP script then it's game over.

__________________
Chris

"Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  #11  
Old
Temporarily Suspended
 
Join Date: Jun 2014
Posts: 1
When compared to other options like .ini files, xml files its always better to keep the config data in a php file. Since by default if you have configured php in apache it will only execute but will not show the data as a text output. But other file formats do. To make it secure, you can keep the file from direct access to public_html and provide a link to it from another secure path. Also make sure that you only have execute permission on the file.

  #12  
Old
Newbie
 
Join Date: Jan 2014
Location: Turkey
Posts: 10
Like others said, it is not readable from HTML side. However, you should always consider "What if someone is able to reach file itself." In this case, encoding the file with ioncube would be good extra security.

  #13  
Old
Newbie
 
Join Date: Jun 2014
Posts: 12
nope

Through php none can access your files unless you have not created an well encrypted password(assuming your files are reachable through some sort of permission). Not to mention the security holes leaking through your hosting provider through the server.

  #14  
Old
Junior Guru Wannabe
 
Join Date: Jan 2013
Posts: 67
Most Content Management Systems (WP, Joomla, etc) keep information such as this in a php file. It is safe behind the file and folder permissions and cannot be seen through direct access. Although nothing is impervious, it is normally safe.

Think of it like your wallet laying on your kitchen table. It is safe by normal standards, but accessible should someone gain access to your house. If you need extra security keep it in a safe (or use ioncube for your code).

__________________
Scott M
InMotion Hosting Customer Community Team


  #15  
Old
WHT Addict
 
Join Date: Mar 2014
Location: Prague
Posts: 130
Set up your SQL to accept connections only from IP of your webserver (or 127.0.0.1 if both SQL and webserver live on the same server)

__________________
CDNsun | Content Delivery Network (CDN) Provider

Global | Reliable | Fast | Affordable
Contact our 24/7 Live Chat Support

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
nginx + php-fpm + debian squeeze tutorial - the fastest way to host php! AltruHost VPS Tutorials 33 07-25-2011 01:01 PM
PHP: Custom WHMCS billing gateway or PHP script - API included omega36 Employment / Job Offers 1 11-29-2007 03:01 PM
php safe_mode on and /usr/lib/php/DB.php error - pear nand Hosting Security and Technology 1 05-03-2005 02:44 AM
[For sale] Interspire WebEdit Pro PHP and SendStudio 2004 PHP Arlanda Other Offers & Requests 1 01-25-2005 03:13 PM

Related posts from TheWhir.com
Title Type Date Posted


Tags
database, mysql, php, sql, web server

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?