noob mySQL security question...

[dandanthepizzaman]

Hi,

I hope this is the right place to post....!

To open a mySQL connection in php, its necessary to embed the username and password for your database/user into your php page.
Was just wondering how secure this is, how likely is it that someone could stumble onto (or hack) these details, leaving your data wide open?

Thanks in advance!Dan:lockd:

 

[marshian]

Any php code is never send to the user, the only way the user can see this data is either you allowing them to see it (due to a configuration mistake) or them hacking the server. But if they would hack your server, MySQL isn't safe anyway.

 

[dandanthepizzaman]

Righto,

so assuming I had a dbase hosted here and it was configured correctly- the only people able to access the data is myself (and any users i set up) and the host administrators?

And... (noob question coming up) do your servers ever get hacked?
Cheers Dan

 

[cowctcat]

Never as far as i can remember.
But the thing you have to remember is that if someone really wanted to they probably could. Server atacking and defense is like how it is with weapons and armor: They made the gun so the bullet proof vest was made. However, there was a point in between when the bulet couldn't be blocked.

 

[scorch94]

Well if you don't store username and password for database in a .txt file, you should be safe. This is my style to connect and query with MySQL database.
I've got 2 files. sql-info.php and sql-connect.php.
And I do sql-info.php like this:

<?php
  $_SQL = array(
    'server_name' => 'localhost',
    'username' => 'some_username',
    'password' => 'some_password',
    'database_name' => 'some_database',
  );
?>

That's sql-info.php. Now let's configure sql-connect.php.

<?php
  require_once 'sql-info.php';
  $con = mysql_connect($_SQL['server_name'], $_SQL['username'], $_SQL['password']);
  if (!$con) die(mysql_error());
  mysql_select_db($_SQL['database_name'], $con);
  mysql_ping($con);
  function db_query($sql)
    {
    global $con;
    mysql_query($sql, $con) or die(mysql_error());
    }
?>

Later, to use your database configuration, just include sql-connect.php like this:

<?php
  require 'sql-connect.php';
?>

And to query your database just use db_query() function
Of course, in sql-info.php replace some_* with your info.

This should be safe way to connect and use MySQL connection.
Hope it helps.

Now, someone can get your data unauthorized only by cracking x10's server, which is unlikely.

Regards

 

[dandanthepizzaman]

Thanks so much for your help guys.
Edit:
oh and please close this thread!