Hi All,
I have used PHP to connect to MYSQL. I have an include where I put database information, connection info, etc and I include it were necessary.
What prevents someone from crawling my site, finding this include and connecting to my db? I do typically limit to few privs in MySQL so for example a user that just can insert/update data. but I do have an admin user that had full control.
What is best practice here to protect my connection info?
Thanks,
-Jason
Keep the include in a folder not within webroot. In case someone does get web server access to your site and can see the PHP in the filesystem, the included and sensitive details are not in the web root. A lot of hacks can only get access to where the sites are. Make sure your PHP source directory is not there.
What are you using for a web server? If its Apache or similar you can place the DB info outside of the document root.
If your server is configured properly, the PHP code is executed by PHP and only the output is sent to the browser, not the source code itself. So browsing/crawling your website would never reveal the contents of the PHP files, i.e. the database credentials.
Of course, if your server is not configured properly, this need not be true. (but in that case you should fix it!)