McCrockett Posted April 1, 2006 Posted April 1, 2006 Hello: I recently made a flash application that dynamically loads photos from an XML that is actually created from a PHP page which pulls its information from a MySql database. I think the following tutorial explains how this can be done (more or less): Kirupa Tutorial Anyhow, my question: Is this very secure? I mean, the following code that requires my username and password kinda frightens me: >$host = "localhost"; $user = "root"; $pass = ""; $database = "test"; $linkID = mysql_connect($host, $user, $pass) or die("Could not connect to host."); I realize this host is really secure... but I'm not making it any easier for hackers by using this code, am I? Quote
stevevan Posted April 2, 2006 Posted April 2, 2006 While not a security expert, I would think that as long as you don't have this in your www directory (and the proper permissions set), you should be ok. If I'm wrong, I'm sure others will chime in with the correct answer. Quote
MarkMan Posted April 3, 2006 Posted April 3, 2006 Here's a pretty good discussion that helped me in the past to feel more secure in how I connect to a MySQL DB: http://www.totalchoicehosting.com/forums/i...?showtopic=2399 Quote
McCrockett Posted April 3, 2006 Author Posted April 3, 2006 I posted the same question in a different forum and I guess I'll post some of the answers I received just in case anybody else ever has similar questions: Everyone uses that exact same script to connect to there DB with PHP. And it sounds like you have a good secure host you shouldn't worry. The only way for them to get your .php file is though a lot of work and your little DB is not interest to them lol. someone can't view PHP code unless they have filesystem access. thats how everyone connects to a database...giving username and password... The PHP code you use to display your site is not considered open source unless you're allowing people access to view it. In otherwords your php file with your username, host, password, etc. for your MySQL database connection isn't something that someone can just look at and get. If it were that easy you'd have seen a ton of various methods to make sure getting that information was not possible. And you probably would see putting that info into a php file on the PHP website. Anyhow, I feel a lot better about it now. Thanks everybody. Quote
abinidi Posted April 3, 2006 Posted April 3, 2006 I was just about to reply with something similar to what is above. Basically, if you want to use a database, you have to connect to it somehow. You have to provide the login credentials in order to have access to the database. It may sound insecure, but what you have to remember is that php is happening SERVER side, not client side. That means that somebody calls your .php page that has the database login script. The server connects to the database and gets the information requested before it ever sends the information to the browser. The PHP information is never sent to the browser. It is all happening on the server. The browser only gets the result, along with the non-php content in the php scrip (stuff outside the php tags. So, you don't have to worry about this. It really is how everybody connects to a MySQL database using PHP. It really is secure, because it is all happening on the server. You can verify this by hitting the PHP page and then using the 'view source' option. The stuff in the php tags simply isn't there. You really can feel secure in connecting to your database in this manner! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.