0

I have a website that uses php to access an SQL database. It works fine and I have added various checks to make sure the user is logged in to access the required webpages etc and I am happy with that.

My question is, when they get to the reporting part of the website that uses php to access the SQL database the database username and password are passed in the php file:

$username = "username";
$password = "password";

$con = mysql_connect(localhost, $username, $password) or die(mysql_error());

Is this bad practice - is there a security risk? And if so what are the ways around it?

Many thanks

Improve this question
7
  • 2
    You should not be using mysql_ functions. Use PDO or mysqli_. See us1.php.net/manual/en/mysqlinfo.api.choosing.php Commented Jun 12, 2013 at 17:17
  • 1
    If someone gains access to your server to get that password then you have bigger problems. Your bigger security risk is using mysql_* functions. Commented Jun 12, 2013 at 17:18
  • your way is mayor practice ... it is ok ... better way (practice) is to store your access data outside your document root and include it via php ... but your way is ok (but consider the hint vrom zdhickman) Commented Jun 12, 2013 at 17:21
  • possible duplicate of Is it safe to place password on same folder? Commented Jun 12, 2013 at 17:26
  • Thanks for your comments - really useful and much appreciated. Just out of interest is the reason to come away from mysql because it is being depreciated and rather than a security reason? Commented Jun 12, 2013 at 17:48

2 Answers 2

Reset to default
1

Since the php is rendered on the server, the username and password cannot be seen by visitors to the page. So storing the data on the php page is not a bad practice. The only way to see the username and password is if someone got access to the server to view the files.

Another way is to have a config file that can be read by php but is outside of the public folders for the site.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you - reassuring and very useful.
0

Soring the database login information within a php file is good practice and quite common. It is not possible for visitors to view this information, as the code is parsed before the page is sent to the user. As an additional level of security, it is good practice to configure the database to prohibit external access if it's on the same server.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.