PHP - Hiding MySQL Parameters

Question for PHP experts:

How does one typically hide from prying eyes the server name, username, and password that appear in a mysql_connect operation, and the database name in mysql_select_db? Seems you would not want them seen by someone browsing the script.
 

MarkR

New Member
I don't quite understand what you mean, if you mean preventing them from displaying to the client if an error occurs you can hide errors using

PHP:
ini_set('display_errors',0); error_reporting(0);

If you mean when sending people php files, just remove them from the script :p
 
Mark, I mean how to keep the server name, user name, password and database name from being visible somewhere in the script where the following statements are used, or in a related script, as I understand you cannot totally hide website code:

$sqlcon = mysql_connect(server name, user name, password);
$sqldb = mysql_select_db(database name, $sqlcon);
 

MarkR

New Member
Do you mean when sharing the scripts with others?

I usually define variables like that which don't change else where in another file anyway using:

PHP:
//constants file
define('DB_SERVER', 'localhost');
define('DB_USER', 'admin');
define('DB_PASS', 'password');
define('DB_DATABASE', 'database');

//then in your connection file
$sqlcon = mysql_connect(DB_SERVER, DB_USER, DB_PASS);
 $sqldb = mysql_select_db(DB_DATABASE, $sqlcon);

Then if you accidently show someone the code all they see is a variable name, unless you accidently show them the file with all your private definitions in!
 
I was mostly concerned about someone being able to view the scripts with Notepad or another text editor (yes, you can open a text file on a web server by just giving Notepad the url) so I did what you suggested, and placed the constants file in a separate password protected directory on my web server. Thank you for the help.
 

n1c0_ds

New Member
I was mostly concerned about someone being able to view the scripts with Notepad or another text editor (yes, you can open a text file on a web server by just giving Notepad the url) so I did what you suggested, and placed the constants file in a separate password protected directory on my web server. Thank you for the help.

That's not how it work. If you try to fetch a .php file from a server, Apache will return the processed file, not the raw code with your precious stuff inside.

I would be much more worried about SQL injection risks and the like.

As suggested above, disable all error reporting on the page and route the errors to a log file instead. Error messages can be precious to hackers. Also use safe passwords (#1 hacking cause in my experience) and escape your SQL parameters.
 
Top