Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    New Coder
    Join Date
    Feb 2012
    Location
    London, Uk
    Posts
    17
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Securely connect to mysql with php?

    I'm using this code to connect to my database and wanted to know if it was secure:

    Code:
    define("DB_SERVER", "db4009.db.blah.com");
    define("DB_USER", "dbo4009");
    define("DB_PASS", "50me60pass");
    define("DB_NAME", "db40092");
    
    $link = mysql_connect(DB_SERVER,DB_USER,DB_PASS);
    if (!$link) { die('Connection failed: ' . mysql_error()); }
    $db_selected = mysql_select_db(DB_NAME, $link);
    if (!$db_selected) { die ('Can\'t select database: ' . mysql_error());
    }?>
    It's in a separate file (called connect.php) outside the root folder and will be referenced with: <?php require_once("../../includes/connect.php"); ?>. at the top of each page that needs to connect to the db.

    If it's not secure, can anyone give me the steps for securing it? I'm very new to PHP and just need a way to connect securely so I can move on and build my application with peace of mind.
    Last edited by Link187; 02-24-2012 at 09:09 AM.

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,346
    Thanks
    60
    Thanked 527 Times in 514 Posts
    If your connect file is outside of the root folder (IE above it) then that at least is secure (unless someone hacks into the servers operating system).

    As for the connection itself, you can never guarantee that. If its on the same machine as your site (eg localhost) then yes, it's reasonable secure. If its on a remote machine then packet sniffers and all sorts could potentially be used. Php opens a TCP connection to mysql and packet sniffers can pick these up. That does not however mean that you will suffer from this (not unless you are in hacker chat rooms and manage to pee them all off etc). This is a risk we all live with on a daily basis - just like having your main PC / home network connected to the web.

    Code wise, yes its pretty much the same as we're all limited to so yes from that perspective its secure.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    Link187 (02-24-2012)

  • #3
    New Coder
    Join Date
    Feb 2012
    Location
    London, Uk
    Posts
    17
    Thanks
    6
    Thanked 0 Times in 0 Posts
    Thanks for your reply. it really clarifies things.
    If your connect file is outside of the root folder (IE above it) then that at least is secure (unless someone hacks into the servers operating system).
    I'm with a major host (1and1.com) so I'm relying on their security to prevent this (i.e that part is out of my control).

    ... If its on the same machine as your site (eg localhost) then yes, it's reasonable secure. If its on a remote machine then packet sniffers and all sorts could potentially be used. Php opens a TCP connection to mysql and packet sniffers can pick these up.
    I think it's on the same ((1and1 hosted) machine but they have many machines so the mysql server might be at a different place than the machine that's hosting my php files and site? Will this have an impact? And do I need to contact them to check?
    Code wise, yes its pretty much the same as we're all limited to
    If the code that I posted is secure (i.e what most people use) then I can focus on the rest of my App..

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,346
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Quote Originally Posted by Link187 View Post
    I think it's on the same ((1and1 hosted) machine but they have many machines so the mysql server might be at a different place than the machine that's hosting my php files and site? Will this have an impact? And do I need to contact them to check?
    The easy way to check is to try connecting on localhost instead of db4009.db.blah.com.

    If you get a successful connection and login then its on the same physical machine.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #5
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    Quote Originally Posted by tangoforce View Post
    The easy way to check is to try connecting on localhost instead of db4009.db.blah.com.

    If you get a successful connection and login then its on the same physical machine.


    this is slightly off topic, however still relates in a way. Ive been with 1and1.com as a host before, they hardly every host the mysql off of the same server you are on, plus in my opinion they are one of the worst hosts in the world, they are over priced and have very very bad customer services, but even when i was with them i couldnt connect to a mysql server on the same machine my hosting way on, and my friend, im pretty sure had dedicated hosting with them if memory serves me right, even he couldnt connect using local host to the mysql server, their phpini settings are overwritten even if you set them, which i know alot of shared hosting does also, but theirs resets straight away.

    Sorry it all seems off topic, just thought i would give TF an insight to 1and1 incase he hasnt had experience with them. and also to help you, however it is your opinion that counts.

    Dan
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags

  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by Link187 View Post
    I'm with a major host (1and1.com) so I'm relying on their security to prevent this (i.e that part is out of my control).
    It is up to you whether you put the connection file inside or outside of your web root folder (unless you are using a host that doesn't allow you access outside the web root to place files). So that aspect of security is under your control and not that of your hosting provider.

    The simplest way to move it for an existing script (if you don't want to change all the references to that file) is to copy the file outside of the root and then replace the content of the original with a single require_once statement.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #7
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    just a quick question, for myself and maybe Link187 might be able to use this, but if you are using a require once, and the file is above your root how would you code it, because atm mine is in my includes folder, im not sure how to re write this:

    PHP Code:
    require_once('/domains/crime-wave.co.uk/public_html'); 
    thats where i upload files to, so my actual include folder is:

    /domains/crime-wave.co.uk/public_html/includes

    how would i write that so that its above my webroot?

    it sounds so noobish, i know, however alot of us are still here to learn, so i do appologise for being so "noobish"

    Dan
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags

  • #8
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,346
    Thanks
    60
    Thanked 527 Times in 514 Posts
    ../ means up one level. ../../ up two levels etc.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #9
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    so mine would be:

    public_html as the web root, meaning that my new link should be:

    require_once('../../connect.php'); as the db_connect.php is in the includes folder?
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags

  • #10
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,346
    Thanks
    60
    Thanked 527 Times in 514 Posts
    No.

    If your main script is in public_html and your connect.php is outside it (ie up one level) then you just need ../connect.php

    ../ for each level up you need to go.

    Alternatively if you have this:

    /includes/
    /public_html/

    Then you would use ../includes/connect.php
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #11
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    my db_connect is in

    /public_html/includes/

    and i want that script to require the new file connect.php which will be above webroot, so would that then be require_once('../../connect.php'); ?
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags

  • #12
    Regular Coder Microsuck's Avatar
    Join Date
    Oct 2011
    Location
    127.0.0.1
    Posts
    123
    Thanks
    44
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Dan13071992 View Post
    this is slightly off topic, however still relates in a way. Ive been with 1and1.com as a host before, they hardly every host the mysql off of the same server you are on, plus in my opinion they are one of the worst hosts in the world, they are over priced and have very very bad customer services, but even when i was with them i couldnt connect to a mysql server on the same machine my hosting way on, and my friend, im pretty sure had dedicated hosting with them if memory serves me right, even he couldnt connect using local host to the mysql server, their phpini settings are overwritten even if you set them, which i know alot of shared hosting does also, but theirs resets straight away.

    Sorry it all seems off topic, just thought i would give TF an insight to 1and1 incase he hasnt had experience with them. and also to help you, however it is your opinion that counts.

    Dan
    I have had my VPS with them for quite a while. Very inexpensive, great performance, and their customer support has helped me with all my issues and been great to me.
    PHP Code:
    <?php echo "Microsuck says hi!"?>

  • #13
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    Quote Originally Posted by Microsuck View Post
    I have had my VPS with them for quite a while. Very inexpensive, great performance, and their customer support has helped me with all my issues and been great to me.
    they might have better customer support for VPS hosting customers, i dont know, i just wanted to share my personal opinions of shared hosting with 1and1, which i found one of the worst ive ever been with, but hey ho, thats my opinion

    im not saying what your saying is wrong, because ive never had VPS hosting, let alone with 1and1.com, but as i said, on their shared hosting packages, you cant connect to local host as they host mysql on another server.

    Dan
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags

  • #14
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,346
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Quote Originally Posted by Dan13071992 View Post
    my db_connect is in

    /public_html/includes/

    and i want that script to require the new file connect.php which will be above webroot, so would that then be require_once('../../connect.php'); ?
    Yes thats correct
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #15
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    using that, i get this error:

    Code:
    Warning: require_once(../../connect.php) [function.require-once]: failed to open stream: No such file or directory in /home/crimewav/domains/crime-wave.co.uk/public_html/includes/db_connect.php on line 2
    
    Fatal error: require_once() [function.require]: Failed opening required '../../connect.php' (include_path='.:/usr/local/php5/lib/php') in /home/crimewav/domains/crime-wave.co.uk/public_html/includes/db_connect.php on line 2
    any idea why?
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •