im a total beginner in web programming. Im trying to create a simple website that is reading data from a SQL Database. At first i just wrote my database password and login directly into the php code:
This obviously isn't a very good idea! So what is a [much] more "secure" way to do this? I read about putting the php code into a seperate file, meaning not into the main php document of the website, and then restricting the access to that file. Maybe by a .htaccess file. Is this the way to go?
asked May 11, 2011 at 10:01
4
The config.php
file and the .htaccess
is a classic/good way to go. It's the way it is usually done with CMS or frameworks.
As pointed by JohnP
, you can also store the config.php
outside of the public directory, that means that it can't be accessed via HTTP. This is only a little better for security [if you don't make a mistake with your .htaccess, there is no more risks].
File structure example :
config/
-> configuration fileslib/
-> libraries and utils PHP filespublic/
-> all you public pages/files/images...
That way, //www.your-site.com/ points to public/
, so there's no way to access the config. But this solution implies that you can change the root web directory [or that it is already like that].
Finally, you have to remember to set this file readable and writeable by the Apache user only, not everyone [unix file access rights], so that if someone gain access to you server through another user, he can't read the file.
answered May 11, 2011 at 10:05
Matthieu NapoliMatthieu Napoli
46.4k44 gold badges163 silver badges254 bronze badges
0
You normally put this in a configuration file and you access the configuration values via PHP.
Usually a project is organized such that your application code and your configuration code is outside your webroot and only your public resources [index.php, images, scripts or other resources] are available via direct access.
answered May 11, 2011 at 10:05
JohnPJohnP
48.9k13 gold badges108 silver badges138 bronze badges
4
A database connection file may contain confidential information like the following: The confidential information includes database name, username and password for connection. Therefore, putting your database connection file in the document root of httpd might leave chances for
hackers to attack your data. A better solution is to move the file out of document root of httpd. For instance, if the database connection file is under the document root: /var/www/html/db.inc, you can create a directory /var/www/db outside the document root for your database connection file to store itself. Here are the steps: The new location of
this file will be /var/www/db/db.inc Please note that, PHP allows you to use absolute paths to require files, which are more accurate than relative paths in many ways.
[root@localhost www]# mkdir /var/www/db
[root@localhost www]# ls -l
...
drwxr-xr-x. 2 root root 4096 Dec 28 14:54 db
... [root@localhost www]# mv /var/www/html/comm/db.inc /var/www/db/
Into: