...

View Full Version : Securely connect to mysql with php?



Link187
02-24-2012, 09:44 AM
I'm using this code to connect to my database and wanted to know if it was secure:


define("DB_SERVER", "db4009.db.blah.com");
define("DB_USER", "dbo4009");
define("DB_PASS", "50me60pass");
define("DB_NAME", "db40092");

$link = mysql_connect(DB_SERVER,DB_USER,DB_PASS);
if (!$link) { die('Connection failed: ' . mysql_error()); }
$db_selected = mysql_select_db(DB_NAME, $link);
if (!$db_selected) { die ('Can\'t select database: ' . mysql_error());
}?>

It's in a separate file (called connect.php) outside the root folder and will be referenced with: <?php require_once("../../includes/connect.php"); ?>. at the top of each page that needs to connect to the db.

If it's not secure, can anyone give me the steps for securing it? I'm very new to PHP and just need a way to connect securely so I can move on and build my application with peace of mind.

tangoforce
02-24-2012, 10:19 AM
If your connect file is outside of the root folder (IE above it) then that at least is secure (unless someone hacks into the servers operating system).

As for the connection itself, you can never guarantee that. If its on the same machine as your site (eg localhost) then yes, it's reasonable secure. If its on a remote machine then packet sniffers and all sorts could potentially be used. Php opens a TCP connection to mysql and packet sniffers can pick these up. That does not however mean that you will suffer from this (not unless you are in hacker chat rooms and manage to pee them all off etc). This is a risk we all live with on a daily basis - just like having your main PC / home network connected to the web.

Code wise, yes its pretty much the same as we're all limited to so yes from that perspective its secure.

Link187
02-24-2012, 11:19 AM
Thanks for your reply. it really clarifies things.

If your connect file is outside of the root folder (IE above it) then that at least is secure (unless someone hacks into the servers operating system).
I'm with a major host (1and1.com) so I'm relying on their security to prevent this (i.e that part is out of my control).


... If its on the same machine as your site (eg localhost) then yes, it's reasonable secure. If its on a remote machine then packet sniffers and all sorts could potentially be used. Php opens a TCP connection to mysql and packet sniffers can pick these up.

I think it's on the same ((1and1 hosted) machine but they have many machines so the mysql server might be at a different place than the machine that's hosting my php files and site? Will this have an impact? And do I need to contact them to check?

Code wise, yes its pretty much the same as we're all limited to
If the code that I posted is secure (i.e what most people use) then I can focus on the rest of my App..

tangoforce
02-24-2012, 12:18 PM
I think it's on the same ((1and1 hosted) machine but they have many machines so the mysql server might be at a different place than the machine that's hosting my php files and site? Will this have an impact? And do I need to contact them to check?


The easy way to check is to try connecting on localhost instead of db4009.db.blah.com.

If you get a successful connection and login then its on the same physical machine.

Dan13071992
02-24-2012, 10:06 PM
The easy way to check is to try connecting on localhost instead of db4009.db.blah.com.

If you get a successful connection and login then its on the same physical machine.



this is slightly off topic, however still relates in a way. Ive been with 1and1.com as a host before, they hardly every host the mysql off of the same server you are on, plus in my opinion they are one of the worst hosts in the world, they are over priced and have very very bad customer services, but even when i was with them i couldnt connect to a mysql server on the same machine my hosting way on, and my friend, im pretty sure had dedicated hosting with them if memory serves me right, even he couldnt connect using local host to the mysql server, their phpini settings are overwritten even if you set them, which i know alot of shared hosting does also, but theirs resets straight away.

Sorry it all seems off topic, just thought i would give TF an insight to 1and1 incase he hasnt had experience with them. and also to help you, however it is your opinion that counts.

Dan

felgall
02-24-2012, 10:40 PM
I'm with a major host (1and1.com) so I'm relying on their security to prevent this (i.e that part is out of my control).

It is up to you whether you put the connection file inside or outside of your web root folder (unless you are using a host that doesn't allow you access outside the web root to place files). So that aspect of security is under your control and not that of your hosting provider.

The simplest way to move it for an existing script (if you don't want to change all the references to that file) is to copy the file outside of the root and then replace the content of the original with a single require_once statement.

Dan13071992
02-24-2012, 10:47 PM
just a quick question, for myself and maybe Link187 might be able to use this, but if you are using a require once, and the file is above your root how would you code it, because atm mine is in my includes folder, im not sure how to re write this:



require_once('/domains/crime-wave.co.uk/public_html');


thats where i upload files to, so my actual include folder is:

/domains/crime-wave.co.uk/public_html/includes

how would i write that so that its above my webroot?

it sounds so noobish, i know, however alot of us are still here to learn, so i do appologise for being so "noobish"

Dan

tangoforce
02-24-2012, 11:46 PM
../ means up one level. ../../ up two levels etc.

Dan13071992
02-24-2012, 11:51 PM
so mine would be:

public_html as the web root, meaning that my new link should be:

require_once('../../connect.php'); as the db_connect.php is in the includes folder?

tangoforce
02-25-2012, 08:36 PM
No.

If your main script is in public_html and your connect.php is outside it (ie up one level) then you just need ../connect.php

../ for each level up you need to go.

Alternatively if you have this:

/includes/
/public_html/

Then you would use ../includes/connect.php

Dan13071992
02-25-2012, 08:40 PM
my db_connect is in

/public_html/includes/

and i want that script to require the new file connect.php which will be above webroot, so would that then be require_once('../../connect.php'); ?

Microsuck
02-25-2012, 09:44 PM
this is slightly off topic, however still relates in a way. Ive been with 1and1.com as a host before, they hardly every host the mysql off of the same server you are on, plus in my opinion they are one of the worst hosts in the world, they are over priced and have very very bad customer services, but even when i was with them i couldnt connect to a mysql server on the same machine my hosting way on, and my friend, im pretty sure had dedicated hosting with them if memory serves me right, even he couldnt connect using local host to the mysql server, their phpini settings are overwritten even if you set them, which i know alot of shared hosting does also, but theirs resets straight away.

Sorry it all seems off topic, just thought i would give TF an insight to 1and1 incase he hasnt had experience with them. and also to help you, however it is your opinion that counts.

Dan

I have had my VPS with them for quite a while. Very inexpensive, great performance, and their customer support has helped me with all my issues and been great to me.

Dan13071992
02-25-2012, 10:30 PM
I have had my VPS with them for quite a while. Very inexpensive, great performance, and their customer support has helped me with all my issues and been great to me.

they might have better customer support for VPS hosting customers, i dont know, i just wanted to share my personal opinions of shared hosting with 1and1, which i found one of the worst ive ever been with, but hey ho, thats my opinion :)

im not saying what your saying is wrong, because ive never had VPS hosting, let alone with 1and1.com, but as i said, on their shared hosting packages, you cant connect to local host as they host mysql on another server.

Dan

tangoforce
02-26-2012, 12:37 AM
my db_connect is in

/public_html/includes/

and i want that script to require the new file connect.php which will be above webroot, so would that then be require_once('../../connect.php'); ?

Yes thats correct :thumbsup:

Dan13071992
02-26-2012, 01:48 PM
using that, i get this error:



Warning: require_once(../../connect.php) [function.require-once]: failed to open stream: No such file or directory in /home/crimewav/domains/crime-wave.co.uk/public_html/includes/db_connect.php on line 2

Fatal error: require_once() [function.require]: Failed opening required '../../connect.php' (include_path='.:/usr/local/php5/lib/php') in /home/crimewav/domains/crime-wave.co.uk/public_html/includes/db_connect.php on line 2


any idea why?

tangoforce
02-26-2012, 05:12 PM
Your connect.php might not be accessible to php. Check to see if PHP can see it first by using file_exists() inside an if() and if it does then it's possible a permissions problem.

Link187
02-29-2012, 10:08 AM
If its on the same machine as your site (eg localhost) then yes, it's reasonable secure. If its on a remote machine then packet sniffers and all sorts could potentially be used. Php opens a TCP connection to mysql and packet sniffers can pick these up.
It's NOT on the same machine but it may be on a machine on their local network. Would this be a dealbreaker for you guys? i.e how critical is it to have it on the localhost. Fyi: Security is pretty important to me: I have pretty strict data protection standards to meet..



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum