Re: Security with dbHost, dbUser, dbPassword

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I think what your doing now is reasonably safe,
but it assumes that apache will actually pass all .php files
to php for processing. if the php module doesn't load for
some reason then the contents of the file will be output
in it's entirety - this is why it's much better to store
this file outside of the webroot ...

Otto Wyss wrote:
> What is the usual save way to store/use DB access info in a script. I
> currently just use some PHP variables in a file which I include in all
> other scripts.
> 
> config.php
> <?PHP
>   if (!defined ("config_include")) die ("Error...");

even without the above statement the file wouldn't
display anything - that said the if statement doesn't hurt.

I usually define constants for the values below to avoid
the possibility that the values are overwritten at any stage,
I also do it because I prefer not to pollute the global scope
with 'unnecessary' vars.

granted define() is slower than creating a var - which is why some
people would recommend against using it.

>   $dbhost = "localhost";
>   $dbuser = "name";
>   $dbpass = "password";
>   $dbname = "database";
>   $dbcoll = "utf8_unicode_ci";
> ?>

I never include the closing php tag in include files to avoid
stray empty lines being output - which can cause any headers
that you try to send after the offending include file is included
to fail.

> 
> Is this save enough or are there better ways? Where should I store this
> file so it isn't accessible via the net but inside scripts?

outside the webroot. what people often do is create an include dir
at the same level as the webroot dir and add this directory to the include_path
ini setting.

e.g.

/home/webroot/global.php
/home/webroot/index.php
/home/include
/home/include/config.php

index.php
=========
<?php

include './global.php';

global.php
==========
<?php

// define a constant for the include path - which can coexist with or usurp
// a suitably defined include_path

define('INC_DIR', realpath($_SERVER['DOCUMENT_ROOT'].'/../include'));
// UNIX
ini_set('include_path', '.:'.INC_DIR); // this value assumes your on *nix
// WINDOWS
//ini_set('include_path', '.;'.INC_DIR);  // this is for windows

// the following 2 lines are 2 ways to do the same thing
include INC_DIR.'/config.php';
include 'config.php';  // this relies on the include_path being set



> 
> O. Wyss
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux