3

I have an HTML file with a Form on it, where once the user clicks "submit", a PHP file is called which connects to a MySQL database and updates it with data from the Form.

Question is, how do I mask/hide the passwords to the MySQL database in my PHP code file?

I'm reading all sorts of things about working with "config" files and/or moving things into different directories so as to prevent others from accessing them - I get it in theory - but what are the actual steps I'm supposed to take to make this happen? Like where do I start? What's step #1, what's step#2, etc? Everyone seems to offer little snippets of code, but I haven't found any good start-to-finish tutorial on this.

I called GoDaddy - where my account & DB are sitting - to see if their tech-support guys could help - no one was able to tell me what exactly to do, where to start, etc.

Can anyone out there help?

Improve this question
4
  • 2
    Flee GoDaaddy now, their hosting is terrible. Commented May 16, 2012 at 4:47
  • I think the question is how do you secure your PHP file from being exploited or viewed by anyone? If someone had access to your files, they will still figure out your password however you do it... no? Commented May 16, 2012 at 4:53
  • if they have access to all your files - you can't end of story. Commented May 16, 2012 at 4:54
  • Yeah, plus they supported SOPA. Commented May 16, 2012 at 6:16

2 Answers 2

Reset to default
5

I think the other answers here are missing the point. If I'm not mistaken, you're talking about your mysql user password. The one which you use to establish a connection to the database in the first place. Right?

Well, you don't hide this. It's in a php file which is code. The public can't read your code (assuming your server is secure) so don't worry about that. Yes, your password is stored simply as text in a php file. It's fine.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

yes, you're right - and some of the others did indeed miss the point. I was in fact talking about securing the password I use to establish connection to the database. I thought if one just did a quick "View Source" from the browser - like they would to view the HTML code of any given page - they could see the PHP code as well - which has my password to the database. But that's not the case, is it? :-) I just tried doing "View Source" on the PHP file - all you get is the XML that the PHP file created/generated on the fly. So I guess the password IS indeed safe...? Rookie mistake:-)
the only way a user can see your php code is to have a misconfigured webserver which doesn't interpret the php code.
2

A PHP file can include other PHP files that are outside the document root. So if you make a config file (in your case it could just be a fancy name for a file that defines a bunch of variables) and place it outside the document root of your webserver, and then include this file in your client-facing PHP file, that should do the trick.

The reason to put it outside your client-facing PHP file and outside the document root is if somehow through some exploit someone was able to access the actual PHP code.

EDIT following comment from OP:

Your config file could be just like any other PHP file, beginning with <?php and ending with ?>. In between you would define at least one or two variables - $db_username and $db_password and set them equal to their corresponding values. Make note of where you put this file, and in the file that needs to establish a DB connection, just put include('/path/to/config/file'); and use the variables you defined in the mysql_connect command.

Improve this answer

4 Comments

I upvoted, but only problem with GoDaddy shared hosting is you can't put anything below document root the way it is setup
You mean above document root? Really? Isn't the document root in ~/public_html or something? I'm not familiar with GoDaddy but what kind of provider forces you to put everything in a publicly visible folder?!
Yeah sorry I always get that confused about below/above. Yeah, that's really how GoDaddy does it with shared hosting at least with php.
@Ansari - ok, so how do you create a "config" file? What is the code for that, and for defining these "bunch of variables" you speak of? (and what variables do I need anyway? For what? For storing the connection string values?) And how do you include one PHP file in another? Sorry, but I'm an Objective-C/iPhone developer - not a PHP guy - I know very basic PHP. By the way, I don't think there are any issues with GoDaddy letting you create folders outside of the publicly visible ones. But if that is the case, I'll switch hosting. Either way I'd need to learn the code for this stuff. Help?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.