Hiding MySQL username and password
This is a discussion on Hiding MySQL username and password within the MySQL Database forums, part of the Database Forums category; Ok, I am a newbie. But now I have tried everything. My quest is to put the MySQL host name, ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-27-2007
|
|||
|
|||
Hiding MySQL username and password
Ok, I am a newbie. But now I have tried everything. My quest is to put
the MySQL host name, user name, password, databasename and table-name in a separate file outside our web domain and call these variables via include (into my PHP-file). But it wont work! The path & diectories are all fine, the PHP script works perfect (at last before I decided to move this critical information). This is the script: <?php //starts here... include ("/home/secret/protect/the_imported_mysqldata.inc"); $link=LinkUp($host,$username,$password)or die("Cant connect"); mysql_select_db($db_name)or die("cant choose db"); $sql="SELECT secret_variable FROM $tbl_name WHERE username='$username' AND password='$password'"; $result=mysql_query($sql); (and so on) here is the included "the_imported_mysqldata.inc": <?php $host="the.secret.host"; $username="secret_as_stone"; $password="very_secret"; $db_name="secret_db"; $tbl_name="the_actual_table"; function LinkUp($host,$username,$password) { $mysql_link=mysql_connect($host,$username,$passwor d); return $mysql_link; } ?> What have I done wrong? Please?? 
|
|
03-28-2007
|
|||
|
|||
|
Re: Hiding MySQL username and password
> here is the included "the_imported_mysqldata.inc": > <?php > $host="the.secret.host"; > $username="secret_as_stone"; What happens if you use the require statement instead of include? If it still does not want to connect, but does include the file, try using the $GLOBALS array (like: $GLOBALS['host'] = 'the.secret.host';). Best regards, -- Willem Bogaerts Application smith Kratz B.V. http://www.kratz.nl/
|
|
03-28-2007
|
|||
|
|||
|
Re: Hiding MySQL username and password
"Nosferatum" <John.Olav.O@gmail.com> wrote in message news:1175027060.627223.175550@n59g2000hsh.googlegr oups.com... > Ok, I am a newbie. But now I have tried everything. My quest is to put > the MySQL host name, user name, password, databasename and table-name > in a separate file outside our web domain and call these variables via > include (into my PHP-file). > But it wont work! The path & diectories are all fine, the PHP script > works perfect (at last before I decided to move this critical > information). > > This is the script: > <?php //starts here... > include ("/home/secret/protect/the_imported_mysqldata.inc"); > $link=LinkUp($host,$username,$password)or die("Cant connect"); > mysql_select_db($db_name)or die("cant choose db"); > > $sql="SELECT secret_variable FROM $tbl_name WHERE username='$username' > AND password='$password'"; > $result=mysql_query($sql); > > (and so on) > > here is the included "the_imported_mysqldata.inc": > <?php > $host="the.secret.host"; > $username="secret_as_stone"; > $password="very_secret"; > $db_name="secret_db"; > $tbl_name="the_actual_table"; > > function LinkUp($host,$username,$password) > { > $mysql_link=mysql_connect($host,$username,$passwor d); > return $mysql_link; > } > ?> > > What have I done wrong? Please?? > I am probably mistaken, but do you need to have "<?php" and "?>" in the include file, as the file will be included within a section of code that's already wrapped in the start/end php codes?
|
|
03-28-2007
|
|||
|
|||
|
Re: Hiding MySQL username and password
On Mar 28, 4:23 pm, "Sean" <sean.anderson@[nospam]oakleafgroup.biz>
wrote: > "Nosferatum" <John.Ola...@gmail.com> wrote in message > > news:1175027060.627223.175550@n59g2000hsh.googlegr oups.com... > > > > > Ok, I am a newbie. But now I have tried everything. My quest is to put > > the MySQL host name, user name, password, databasename and table-name > > in a separate file outside our web domain and call these variables via > > include (into my PHP-file). > > But it wont work! The path & diectories are all fine, the PHP script > > works perfect (at last before I decided to move this critical > > information). > > > This is the script: > > <?php //starts here... > > include ("/home/secret/protect/the_imported_mysqldata.inc"); > > $link=LinkUp($host,$username,$password)or die("Cant connect"); > > mysql_select_db($db_name)or die("cant choose db"); > > > $sql="SELECT secret_variable FROM $tbl_name WHERE username='$username' > > AND password='$password'"; > > $result=mysql_query($sql); > > > (and so on) > > > here is the included "the_imported_mysqldata.inc": > > <?php > > $host="the.secret.host"; > > $username="secret_as_stone"; > > $password="very_secret"; > > $db_name="secret_db"; > > $tbl_name="the_actual_table"; > > > function LinkUp($host,$username,$password) > > { > > $mysql_link=mysql_connect($host,$username,$passwor d); > > return $mysql_link; > > } > > ?> > > > What have I done wrong? Please?? > > I am probably mistaken, but do you need to have "<?php" and "?>" in the > include file, as the file will be included within a section of code that's > already wrapped in the start/end php codes? Yes you are - and yes you do! Correct me if I'm wrong but I think the file server also needs permission to read the folder in which the include is buried. I know nothing whatsoever about security but I would have thought that just putting the includes in a folder just outside the htdocs path would be safe enough. The folder would not need to be called anything like 'include'. Likewise, I think the file can have any extension you care to give it
|
|
03-28-2007
|
|||
|
|||
|
Re: Hiding MySQL username and password
strawberry wrote:
> On Mar 28, 4:23 pm, "Sean" <sean.anderson@[nospam]oakleafgroup.biz> > wrote: > >>"Nosferatum" <John.Ola...@gmail.com> wrote in message >> >>news:1175027060.627223.175550@n59g2000hsh.google groups.com... >> >> >> >> >>>Ok, I am a newbie. But now I have tried everything. My quest is to put >>>the MySQL host name, user name, password, databasename and table-name >>>in a separate file outside our web domain and call these variables via >>>include (into my PHP-file). > I know nothing whatsoever about security Um. > but I would have thought that > just putting the includes in a folder just outside the htdocs path > would be safe enough. The problem is that the web server, usually Apache, runs CGI programs as user "nobody". It can't read your non-public files. If you make the password file readable by any user, anybody else on the machine can read it, which is terrible in shared server environments. John Nagle
|
|
03-28-2007
|
|||
|
|||
|
Re: Hiding MySQL username and password
On Mar 28, 9:00 pm, John Nagle <n...@animats.com> wrote:
> strawberry wrote: > > On Mar 28, 4:23 pm, "Sean" <sean.anderson@[nospam]oakleafgroup.biz> > > wrote: > > >>"Nosferatum" <John.Ola...@gmail.com> wrote in message > > >>news:1175027060.627223.175550@n59g2000hsh.google groups.com... > > >>>Ok, I am a newbie. But now I have tried everything. My quest is to put > >>>the MySQL host name, user name, password, databasename and table-name > >>>in a separate file outside our web domain and call these variables via > >>>include (into my PHP-file). > > I know nothing whatsoever about security > > Um. > > > but I would have thought that > > > just putting the includes in a folder just outside the htdocs path > > would be safe enough. > > The problem is that the web server, usually Apache, runs CGI programs > as user "nobody". It can't read your non-public files. If you > make the password file readable by any user, > anybody else on the machine can read it, which is terrible in shared > server environments. > > John Nagle So what's the correct solution?
|
Linear Mode
