Login/Register
Best way to connect to MySQL with PHP securely [duplicate]
Asked Answered
phpmysqlsecurity
L

5

21

I want some input on what you guys think is the most secure way to connect to a MySQL database using PHP. Currently the way I'm doing it is a utility PHP file that I include in the top of all my other PHP files. The utility PHP file is this:

<?php
    if(!defined('IN_PHP')){
        die("hackerssss");
    }
    $mysql_host = "localhost";
    $mysql_user = "root";
    $mysql_pass = "root";
    $mysql_db = cokertrading;
?>

Any suggestions?

Lorenzoloresz answered 14/9, 2010 at 15:46 Comment(11)
What do you mean by "secure"? Secure against what?Cassady
You're missing quotes: $mysql_db = "cokertrading" (unless it's a constant). That defined('IN_PHP') check is not really useful here, as you're only defining variables, and not connecting immediately.Eyespot
@daniel the root/root is for testing on my local machine duhLorenzoloresz
Store your username/password outside the document root.Grenville
@tim is your local machine connected to the internet?Ardeha
i love all the "if your user/pass are root/root then you're a dick" comments and answers. If you were going to post up php source about security you wouldn't put your ACCTUAL username and password in the post would you now?Closing
@Daniel Vandersluis I wish I could vote up a comment more than once :)Morrissey
cokertrading should have quotes.Cassady
@Thomas I've seen people post their actual passwords on SO before...people make mistakes sometimes.Ardeha
This whole question depends entirely on whether the database is on the same server as your web-server (apache etc). Until we get this we cannot give you an answer.Yoo
@daniel yes but cant be seen from the internet. This is not for real just a fun project.Lorenzoloresz
R
26

Suggestion: You should probably never be running as root; create another account and give it the 'least' privileges required for your site.

Reste answered 14/9, 2010 at 15:49 Comment(3)
+1 for the "least privileges" approach.Cassady
+1 for correcting using semi-colon; root is never a good idea.Cob
And then implement my solution ;pKimble
R
9

I can believe noone has mentioned MYSQLI and prepared statements yet, you may lock your password and database connection away, but thats ultimately futile if I can simply type ';DROP TABLE users;-- in the login form.

Check http://en.wikipedia.org/wiki/SQL_injection for an idea about what I'm talking about.

Realty answered 14/9, 2010 at 16:55 Comment(0)
C
6

  • Define a pair of proper login credentials instead of "root/root" (change the user name to something else, and choose a complicated password);

  • if possible restrict access to the database to localhost on a firewall level or, as @Scott says in the comments, set mySQL to listen to connections from 127.0.0.1 only. If both is not possible, restrict access on mySQL level. ("username"@"localhost")

Cassady answered 14/9, 2010 at 15:50 Comment(4)
The firewall rules aren't a bad idea, but they're unnecessary. You can accomplish the same by changing the mysql config to only listen on 127.0.0.1Metrorrhagia
Unless cokertrading is defined as a constant somewhere else in the file.Morrissey
@Scott good point. @Unknwntech yup, it's not sure. Removed.Cassady
+1 for restricting access to the local machine.Ardeha
C
5

Because PHP scripts are server side - i.e. they are parsed on the server and only the output is sent to the browser - the way you are doing this is perfectly secure.

The only way that people would be able to get your username and password would be to actually hack into your server and view the source code - in which case there's no way (in PHP) to protect against this.

Closing answered 14/9, 2010 at 15:50 Comment(0)
T
5
  1. Remember that anyone who can read that file will know your SQL password: set it not readable by others.
  2. Don't login with root: create a user for each application.
  3. Don't use "root" as your root password.
  4. Don't give your password to everyone.
Tilla answered 14/9, 2010 at 15:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.