emagify — 2011-06-30T10:58:23-04:00 — #1
A newbie here... As I go through this book (build your own database driven site php/mysql) I wondered how is the password that you put into the mysqli_connect function ($link = mysqli_connect('localhost', 'root', 'supersecretpassword') protected?
What prevents someone else from looking at your .php file and seeing it?
I'm only on page 185 so if it's answered later in the book just let me know and I'll be patient.
aleksejs — 2011-06-30T11:14:25-04:00 — #2
Basically, the assumption is that noone except you or webserver that executes your scripts can see their source. That is one of reasons why you should be extra careful with file permissions, temporary backup files tha IDEs sometimes create and shared hosting as such, because more often than not they are poorely configured.
emagify — 2011-06-30T11:25:49-04:00 — #3
What do you mean when you say "the IDEs sometimes create". What's IDE in this context?
aleksejs — 2011-06-30T11:59:27-04:00 — #4
Integrated Development Environment, like Eclipse, NetBeans, PhpStorm or any editor you use to do your programming. Some editors create backups of files you edit and name them with other extension than .php - if you upload all directory, then they get uploaded to server along with changed files and typical server setup returns files with unknown extension as text/plain - thus the attacker can make an educated guess and try to download file that along exposing internal logic (and possibly vulnerabilities) also exposes credentials you are using to access DB.
emagify — 2011-06-30T13:15:24-04:00 — #5
thanks for the explanation! mark
felgall — 2011-06-30T15:15:09-04:00 — #6
You can put the config file above the web root folder - then even if PHP were to get turned off for some reason people would still be unable to see the password hard coded in that file.