----- Original Message ----- From: "Robin" Hi,
I am creating a web application which involves users registering details in a DB. Obviously this is a very common thing to do and there seem to be many different ways to solve this problem. 1. Is there a way to do this without needing to hard code DB login details into the source? 2. Is it better practice to create individual DB users for new members when they register and use DB authentication, or should the DB connections all be through a single user and use code to check a table containing user name and password hash? 3. Is there a way to create a connection pool in PHP? Thanks, Rob ------------------------ Hi Robin. I will try to explain some security problems, perhaps others here can provide more information or correct me if I make a mistake. It is common just have one DB (database) user and use that login for all access to the database. It is better to have a seperate DB login for web site access that is restricted to only the privilages that are required. examples - and problems - <?php //this file is access.php $username="fred"; $password="pass"; ?> <?php // this file is webpage.php include(access.php); $myconnection=mysql_connect(localhost,$username,$password); ?> The above example brings a hacker one step closer to your access details. A better way is to have the actual connection in the password file like - <?php // this file is access.php $myconnection=mysql_connect(localhost,"fred","pass"); ?> <?php // this file is webpage.php include(access.php); ..... Allways place usernames and passwords in a PHP type file. secret.txt fred pass Then I can just brows to http://yourdomain.com/hidden/secret.txt and see your username and password if the file is secret.php <?php fred pass ?> then my browser will show nothing (except error) because it is passed as PHP. A script can access files directly via the server - If you main page is at server17\users\yourdomain\public_html\index.php then you can place your access file at server17\users\yourdomain\private\access.php and call it with a file path - include(\server17\users\yourdomain\private\access.php); this way there is no easy way for a hacker to access the file. Another security method is to use what is often called a cgi wraper but these wrapers do NOT often exist on windows based servers as they use POSIX extentions that are not supported in windows. Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/php-list/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
