PHP

DesignerBill · 10-28-2011, 02:03 AM

Question for PHP experts:

How does one typically hide from prying eyes the server name, username, and password that appear in a mysql_connect operation, and the database name in mysql_select_db? Seems you would not want them seen by someone browsing the script.

MarkR · 11-04-2011, 12:56 PM

I don't quite understand what you mean, if you mean preventing them from displaying to the client if an error occurs you can hide errors using

PHP Code:


			
ini_set('display_errors',0); error_reporting(0);

If you mean when sending people php files, just remove them from the script

DesignerBill · 11-05-2011, 04:09 PM

Mark, I mean how to keep the server name, user name, password and database name from being visible somewhere in the script where the following statements are used, or in a related script, as I understand you cannot totally hide website code:

$sqlcon = mysql_connect(server name, user name, password);
$sqldb = mysql_select_db(database name, $sqlcon);

MarkR · 11-07-2011, 04:55 PM

Do you mean when sharing the scripts with others?

I usually define variables like that which don't change else where in another file anyway using:

PHP Code:


			
//constants file

define('DB_SERVER', 'localhost');

define('DB_USER', 'admin');

define('DB_PASS', 'password');

define('DB_DATABASE', 'database');



//then in your connection file

$sqlcon = mysql_connect(DB_SERVER, DB_USER, DB_PASS);

 $sqldb = mysql_select_db(DB_DATABASE, $sqlcon);

Then if you accidently show someone the code all they see is a variable name, unless you accidently show them the file with all your private definitions in!

DesignerBill · 11-08-2011, 12:14 AM

I was mostly concerned about someone being able to view the scripts with Notepad or another text editor (yes, you can open a text file on a web server by just giving Notepad the url) so I did what you suggested, and placed the constants file in a separate password protected directory on my web server. Thank you for the help.

n1c0_ds · 11-08-2011, 04:37 PM

Quote:

Originally Posted by DesignerBill

I was mostly concerned about someone being able to view the scripts with Notepad or another text editor (yes, you can open a text file on a web server by just giving Notepad the url) so I did what you suggested, and placed the constants file in a separate password protected directory on my web server. Thank you for the help.

That's not how it work. If you try to fetch a .php file from a server, Apache will return the processed file, not the raw code with your precious stuff inside.

I would be much more worried about SQL injection risks and the like.

As suggested above, disable all error reporting on the page and route the errors to a log file instead. Error messages can be precious to hackers. Also use safe passwords (#1 hacking cause in my experience) and escape your SQL parameters.

11-04-2011, 12:56 PM	#2
MarkR Silver Member Join Date: Aug 2011 Posts: 100	I don't quite understand what you mean, if you mean preventing them from displaying to the client if an error occurs you can hide errors using PHP Code: `ini_set('display_errors',0); error_reporting(0);` If you mean when sending people php files, just remove them from the script __________________ Mark R Wubbleyou - Web Design Newcastle A professional web design agency based in Newcastle upon Tyne servicing clients based throughout the U.K. Home spray tan machine - Landlord Reviews

11-05-2011, 04:09 PM	#3
DesignerBill Silver Member Join Date: Jul 2011 Posts: 146	Mark, I mean how to keep the server name, user name, password and database name from being visible somewhere in the script where the following statements are used, or in a related script, as I understand you cannot totally hide website code: $sqlcon = mysql_connect(server name, user name, password); $sqldb = mysql_select_db(database name, $sqlcon); __________________ space Orchid Technical Services Website Design/Development and Technical Support

11-07-2011, 04:55 PM	#4
MarkR Silver Member Join Date: Aug 2011 Posts: 100	Do you mean when sharing the scripts with others? I usually define variables like that which don't change else where in another file anyway using: PHP Code: `//constants file define('DB_SERVER', 'localhost'); define('DB_USER', 'admin'); define('DB_PASS', 'password'); define('DB_DATABASE', 'database'); //then in your connection file $sqlcon = mysql_connect(DB_SERVER, DB_USER, DB_PASS); $sqldb = mysql_select_db(DB_DATABASE, $sqlcon);` Then if you accidently show someone the code all they see is a variable name, unless you accidently show them the file with all your private definitions in! __________________ Mark R Wubbleyou - Web Design Newcastle A professional web design agency based in Newcastle upon Tyne servicing clients based throughout the U.K. Home spray tan machine - Landlord Reviews

11-08-2011, 12:14 AM	#5
DesignerBill Silver Member Join Date: Jul 2011 Posts: 146	I was mostly concerned about someone being able to view the scripts with Notepad or another text editor (yes, you can open a text file on a web server by just giving Notepad the url) so I did what you suggested, and placed the constants file in a separate password protected directory on my web server. Thank you for the help. __________________ space Orchid Technical Services Website Design/Development and Technical Support

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

10-28-2011, 02:03 AM	#1
DesignerBill Silver Member Join Date: Jul 2011 Posts: 146	PHP - Hiding MySQL Parameters Question for PHP experts: How does one typically hide from prying eyes the server name, username, and password that appear in a mysql_connect operation, and the database name in mysql_select_db? Seems you would not want them seen by someone browsing the script. __________________ space Orchid Technical Services Website Design/Development and Technical Support