...

View Full Version : More Secure?



losse
04-29-2006, 07:32 PM
Hi there

Just wondering if doing this on your scripts:



<?php include 'connection.inc.php'; ?>


Is more secure than this:



<?php
$host = "xx";
$user = "xx";
$pass = "xx";
$db = "xx";
?>


Basically, will putting your connection data in an include be more secure than not...

Thanks

ralph l mayo
04-29-2006, 08:06 PM
Doesn't really make a difference. You could argue that if the user accessible file has:



define('FOO', 1);
include 'connection.inc.php';


and the include has, at the top:


if (!defined('FOO'))
{
exit();
}

$stuff = 'otherstuff';
//...


There is a bit more security.

The idea is to keep the include from being directly accessed, where I guess it is easier to mess with. phpBB did something like this the last time I looked at it. I honestly don't know how it helps but with all the holes that have opened and closed in phpBB's security I can only assume it cuts down on some route of attack.

Muhammad Haris
04-29-2006, 08:52 PM
Doesn't really make a difference. You could argue that if the user accessible file has:



define('FOO', 1);
include 'connection.inc.php';


and the include has, at the top:


if (!defined('FOO'))
{
exit();
}

$stuff = 'otherstuff';
//...


There is a bit more security.

The idea is to keep the include from being directly accessed, where I guess it is easier to mess with. phpBB did something like this the last time I looked at it. I honestly don't know how it helps but with all the holes that have opened and closed in phpBB's security I can only assume it cuts down on some route of attack.

Thanks, Post Bookmarked! :) :thumbsup:

djm0219
04-29-2006, 09:26 PM
<?php include 'connection.inc.php'; ?>


Is more secure than this:

If you keep your includes in a directory outside of the web root it will be. Anything in that include directory can't be accessed directly at all by the web server and, in theory, should not accidently be shown if the web server config gets messed up. I always have exactly one file that the web server can see and that's index.php. Everything else lives in another directory outside of the web root.

trib4lmaniac
04-29-2006, 10:03 PM
Accessing the page doesn't make any difference anyway, unless it doesn't get parsed :|

felgall
04-29-2006, 11:08 PM
If you don't have access to put the files above the root folder then placing the includes in a password protected folder is almost as good. PHP can still access them but they can't be accessed any other way without the password.

Muhammad Haris
04-29-2006, 11:16 PM
If you don't have access to put the files above the root folder then placing the includes in a password protected folder is almost as good. PHP can still access them but they can't be accessed any other way without the password.

Some people get hacked in that situtation as well!

losse
04-30-2006, 01:50 PM
Could someone explain what this is all about



define('FOO', 1);
include 'connection.inc.php';

if (!defined('FOO'))
{
exit();
}

$stuff = 'otherstuff';
//...


I don't get this all that much but would love an explanation.

Thanks!

Muhammad Haris
04-30-2006, 02:15 PM
Well let say you have this in connection.inc.php

In the code below we say that if Constant OPEN is not defined in the included() php file then it will exit() the script means that the script will stop immediatly.


if (!defined('OPEN'))
{
exit();
}

This increases the security so that no one can directly access the file.


define('OPEN' ,1);

will connect to the connection.inc.php otherwise if define('OPEN' ,0) will not connect to the database and same if the neither of the code is written.

felgall
04-30-2006, 11:31 PM
Some people get hacked in that situtation as well!

Yes but it is better than the alternatives if you don't have access to anywhere above the root folder on the hosting. Some people get hacked even with their files above the root too for that matter. It is all a matter of degrees of difficulty and the only way to be 100% safe is to not put the files onto a computer in the first place.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum