3

When writing out the connect code to the database isn't it wide open for anyone to view my database username and password? Couldn't they then connect and alter my database? It just seems strange to type out my username and password and not be encrypted. 

mysql_connect(localhost, user1, correcthorsebatterystaple)

I know the source isn't viewable when you right-click view source. But if someone created a quick html page with ahref=mywebsite.com/connect_file.php then they right click and download that they can view my PHP code along with my username and passowrd, right?

m1xolyd1an
  • 535
  • 5
  • 18
  • 6
    No, but you do need to be worried about `mysql_` functions, *they are deprecated*. Use `mysqli_` or `PDO` instead. – Jay Blanchard Sep 15 '14 at 19:13
  • 2
    The only way someone can download the PHP file directly is if your webserver is incorrectly configured and doesn't serve PHP. If PHP pages render when you navigate to them, then people aren't just going to be able to download the file contents. – tbddeveloper Sep 15 '14 at 19:15
  • Jay, Hammer - Thank you for the info – m1xolyd1an Sep 15 '14 at 19:18

3 Answers3

5

PHP is executed on the server and outputs HTML to the client. So the client can never view the PHP source. So you don't have to worry about you passwords safety in those files

Wessel van der Linden
  • 2,592
  • 2
  • 21
  • 42
0

You server sees all requests (so even that ahref one in your example) to the file as being one that asks for a php file.

Your server will first ask PHP to parse the file, and if set up correctly never show the code in any way.

Someone with direct (ssh for instance) access to your server or your code (ftp, github etc) will be able to read your code and so your password. Avoid this at all costs.

You can put stuff you need to be carefull of outside of your www-root (for instance /var/www) directory. Even IF something is wrong, the changes that your config will be read are smaller if they are in a separate place. Use an include to include it. This will only 'work' if the file is parsed, so if it is NOT parsed, you won't be including it, so it will not be shown

Nanne
  • 64,065
  • 16
  • 119
  • 163
0

If a user was to load your connect_file.php directly into the browser, they would get the PHP file rendered as HTML, which is likely blank. Clicking save-as would save a local copy of the blank HTML page. Because PHP is rendered on the server and then sent to the user's browser, they only see the results, not the source.

If you're still concerned about this, you could always store connect_file.php in a location that is not accessible to the web and include it from another file. In the event that the PHP process broke or the PHP code was somehow served up raw, this would further prevent someone from viewing your PHP code containing the password.

Surreal Dreams
  • 26,055
  • 3
  • 46
  • 61