What I do, because I am using a test platform is to put the line with pconnect() in a small text file, place this file somewhere on the disk, outside of the web site root and refer to that file with include() in my code. This way, even if the PHP source code were compromised, the user name and password used to access the DB cannot be seen.
> > ------------------------------------------------------------------------ > > Subject: > > Re: [PHP] PHP and MYSQL Security` > From: > > "Fred" <[EMAIL PROTECTED]> > Date: > > Sun, 27 Jan 2002 16:59:31 -0800 > To: > > [EMAIL PROTECTED], [EMAIL PROTECTED] > > >If this file has a .php extension remote users will not have access to the >variables because the file is parsed by php and they never see the actual >file contents when requesting the document via the web. If you are >concerned with users on localhost having access to the file, simply give it >the correct permissions so that no one else has read access. > >If you are concerned about web users having access, if, for example, the php >parser crashed and apache tried to pass the file through without parsing, >you can put the default server, user and pass variables in the php.ini file >which is not in the document root for apache. Of course, this only works if >all of your scripts use the same server, user and password. > >Fred > >Duky Yuen <[EMAIL PROTECTED]> wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>How can I secure my username and password? In 1 of my files, it contains >>the following: >> >> $conn = mysql_connect( "12.34.56.78", "username", "password"); >> mysql_select_db("database",$conn); >> >>What should I do, so people can't get this information? >> >>Duky >> -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
