|
PHP > MySQL connection password security question
I am using PHP to connect to a MySQL database using the following code:
$conn = mysql_connect("localhost", "root", "password") or die(mysql_error()); This works just fine but I am concerned about the security implications of having the password in the source code. Is there a better method of achieving this that doesn't require the password to be in the source code? Thanks in advance... |
Why are you using root to access mySQL? It would be a LOT safer to create a new mySQL user that only has privileges for the tables that PHP needs to access. That would at least mitigate any potential problems.
By the way, PHP is server side. I'm not sure that a user can see the PHP source code unless you are distributing it as a separate file rather than serving it as a web page. |
Quote:
I'm surprised that Linux doesn't offer a system like ODBC DSN connections that removes the need for passwords in the source code. |
Quote:
I'm going to step WAY out of my depths here, but are you sure it doesn't? This really isn't a Linux problem, this is actually a mySQL problem since it is the mySQL username and password you have to hard code, not the Linux ones. This is where I get out of my depths: You probably need to do a bit of mySQL research and see if it does support a system like ODBC DSN. Just a little googling around suggests to me that there is a driver called myODBC that might do the trick. I haven't investigated enough to be sure however. And if mySQL doesn't work the way you need it to, maybe another database like PostgreSQL or Firebird will. |
The way we keep it a little safer is to use connection documents stored outside the docroot. A simple "require_once('connect.php')" appears in all our database enabled scripts. That way, if the script is cracked and the source revealed, they don't get connection details, only the database structure from the queries.
|
| All times are GMT -5. The time now is 02:55 PM. |