I have a great php mySQL login script that works fine. Is ther another way to provide all my access info without revealing it in the script? Right now I show all my security access info which I think is not safe.
Can I hide this?
Here is what I'm referring to:
$host="localhost"; // Host name
$username="XXXXXXXXXX"; // Mysql username
$password="XXXXXXXXXX"; // Mysql password
$db_name="XXXXXXXXXXX"; // Database name
$tbl_name="XXXXXXXXXX"; // Table name
Create database.php, move your code snippet above to database.php, then ..
include "database.php";
At the top of each page that needs a database connection.
First step: Put all mysql api into separate file, than include it in other scripts.
Second: Deny access to sql config\api file due configuring your server.
btw, whom do you show "show all my security access info"?
As long as php interpret your script before it's send to the client you're safe. If you have access to apache conf files you could try something like this.
If you are going to include the file at the top of your script it's important that you give the file an extension that will be interpreted (.php) or prevent them from being served in the .htaccess file. Otherwise you might risk that the webserver serve it as text upon request.
There is no easy way to do this, I would suggest storing the variables in a separate file and then just including the data. If you're not happy with others reading the data why not create a separate user specifically for the script? That's the way I'd do it.
If you want to give that script away and ecrypt the whole file before, you can always use Zend Guard
It will have to be defined somewhere. I would make sure you have suPHP installed so you can set your permissions to 400. Then include the file which has your definitions, like connection.php etc. This is very secure as it allows the php files only to be read by the server / your account.
Client machines do not have access to source code for server-side processes or any PHP variables: only output. Unless you provide a specific mechanism to display variables (i.e. debugging functions like var_dump) in your PHP script, then it is secure. Also, your server has to be set up to process PHP files and render the script's output instead of delivering the raw code as if it were plain HTML, but simply installing PHP usually takes care of that problem.
Then there is a broader issue of level-of-access with collaborators or others who have server access: and that is why it is good to house your credentials in a separate file that you exclude from public environments like GitHub. That is all I will say about that, as every case is different, especially when you toss in file permissions and file ownership. It should be noted, however, that the MySQL user permissions can also be limited, which adds an extra layer of insurance in case the wrong person comes across the credentials.
