1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:14 am May 21, 2026

Forum Moderators: coopster

Message Too Old, No Replies

[question] How to secure database connection setup file

db set, secure db connection

         

TrueStory

5:46 pm on Jan 17, 2012 (gmt 0)

10+ Year Member



Guys, I am typically the one helping people who are new to PHP, but this is somewhat expert question, if someone could help me with.

I am writing a script for website that will take credit cards. I am trying to secure information as much as possible. My biggest issue is with MySQL db setup.

for example:
I have a db_setup.php file (hidden beyond root directory)

PHP Code: 
//set parameters
 = 'db_user';
 = 'super-secret-password';
 = 'db-name';
//connect
 = mysql_connect('localhost', , );
//destroy trivial info
unset();
unset();
if (!) {
  die('Could not connect: ' . mysql_error());
}

 = mysql_select_db(, );
if (!) {
  die ('isses with DB : ' . mysql_error());
}
unset();
?>

and this file is included in my index page 


require('../protected/db_setup.php');

Where I point to the file outside of my site root for extra protection.

THE PROBLEM:

IF, and only IF php engine on the webserver chokes and decides to dump all php files in text form (instead of interpreting), whoever is accessing that site can read all my secrets in PLAIN TEXT!

How would you prevent that from happening?

I wonder if you're asking, but TrueStory how often does PHP engine crashes?

Well, a hacker can forcefully pass large information to server (in file upload form or in any user input form on the site)

I want to prevent my db_setup.php from being included (but still executed) at all! Even if php engine would never crash.

Gracias!

TrueStory

5:50 pm on Jan 17, 2012 (gmt 0)

10+ Year Member



guys, sorry i cannot edit above post, here is correct code 


//set parameters
$dbuser = 'db_user';
$dbpassword = 'super-secret-password';
$dbname = 'dbname';
//connect
$link = mysql_connect('localhost', $dbuser, $dbpassword);
//destroy trivial info
unset($dbpassword);
unset($dbuser);
if (!$link) {
  die('Could not connect: ' . mysql_error());
}

$db_selected = mysql_select_db($dbname, $link);
if (!$db_selected) {
  die ('isses with DB : ' . mysql_error());
}
unset($dbname);

penders

6:07 pm on Jan 17, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



IF, and only IF php engine on the webserver chokes and decides to dump all php files in text form (instead of interpreting), whoever is accessing that site can read all my secrets in PLAIN TEXT!


This is why db_setup.php is above the web root. All the end user will see is the require() statement itself.... 
require('../protected/db_setup.php');


db_setup.php will still be inaccessbile. This is the 'extra protection' you mention.

enigma1

8:28 pm on Jan 17, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Well it's not only the php engine. Even if that's the case the folder where the config file with passwords is stored, should be protected from the server script (like .htaccess) so http access is not allowed. I prefer it over the relevant back paths which have environment dependencies.

Another thing there should be also a db switch from your host's cpanel you could use it to restrict remote database connections.

in file upload form or in any user input form on the site

They don't need an input field present on your site or a form to do that, they can upload whatever. It's what your code does in these cases.

1888software

12:01 am on Jan 18, 2012 (gmt 0)

10+ Year Member



In response to 'a hacker can forcefully pass large information to server (in file upload form or in any user input form on the site)' enigma1 is correct in saying 'It's what your code does in these cases'.

... my suggestion is that you limit the size of the data input or upload:

examples
text form object: maxlength='nnn'
file upload script from [php.net...]

MAX_FILE_SIZE must precede the file input field
input type="hidden" name="MAX_FILE_SIZE" value="30000"

Check EVERY possible form input field and restrict the field data size on both sides - on the form and in the form processing.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:14 am May 21, 2026