1

Well, I'm creating Database connection with following php code: 

<?php 
define('DB_HOST', 'localhost');
define('DB_USER', 'root');
define('DB_PASSWORD', '');
define('DB_DATABASE', 'evantechbd');

$db = mysql_connect(DB_HOST, DB_USER); 
if (!$db)
{
die('Could not connect to Server: ' . mysql_error());
}
if (!mysql_select_db("evantechbd",$db))
{
die('Could not connect to DataBase : ' . mysql_error());
} 
?>

Is it really secure ?

Improve this question
3
  • 2
    Is there some specific reason you're worried this isn't secure? Also, the mysql_* functions are being deprecated. Commented Jan 21, 2012 at 18:50
  • What is latest function? Commented Jan 21, 2012 at 18:52
  • PDO is a good choice. Commented Jan 21, 2012 at 18:54

2 Answers 2

Reset to default
2

The biggest security issue is that your root database user really should have a password.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Well, i'm just test it on my localhost server. when i upload it to server i must be change this. But is it secure?
Define "secure". What are you trying to protect against? Other parts of your code are more likely to be an issue.
protect to hacking.. What is the issue?
The issue is that this code does essentially nothing by itself. There's not really any avenue for a web user to attack here, but when dealing with SQL, there are plenty of things to protect against, like SQL injection.
None of this code is vulnerable to SQL injection, as you aren't actually doing anything with SQL other than connecting in this code. See en.wikipedia.org/wiki/SQL_injection
|
1

Secure against what?

If you want it to secure against "rough module", it's not. All defined values will be accessible anywhere in included file (you should use config and unset it unset initialization).

$config = parse_ini_file( 'configs/config.php');
mysqli_connect( isset( $config['host']) ? $config['host'] : 'localhost',
    isset( $config['user']) ? $config['user'] : 'root', ...);
// Select DB
unset( $config);
// Prohibit your modules from opening any file

Against webuser? Again no. You're displaying error to end user. You're telling anyone that you're connection to localhost with user root if connection fails for any reason (you should use throw an exception, trigger error and notify user just about database error, send mail to yourself and log the error).

And using root without password is quite a big security issue, but I'm assuming that's just example data.

Improve this answer

4 Comments

+1. Also, using the root user in production code isn't a good idea either. A specific user should be created for each application on the server, so if the database information should get compromised, only one site would be affected.
can you please give an example?
@KristianAntonsen yeah, you're right. We allow connection only from localhost on our mysql servers which makes great deal in security, but there are still applications (such as phpMyAdmin) which can be abused. I prefer naming users like web_ae79ec (with random hash as suffix) and long (about 8-20 characters) password.
example about your first suggestion

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.