Php connection to database: is it secure?

Question

I use the following php code to connect to mysql database.

$hostname = "hostname.com";
$database = "dbtest";
$username = "admin";
$password = "pass123";
$connect = mysql_pconnect($hostname, $username, $password) or trigger_error(mysql_error(),E_USER_ERROR);
mysql_select_db($database);

This code is placed in a connection file called connect.php which is included in all php scripts that require access to database.

If a hacker gets the url of connect.php (http://www.domainname.com/connect.php), is it possible to hack my database. How can I ensure that the php connection code does not help the hacker? Or Which is the best secure way of connecting to the database?

If that is the only code in that file, it poses no danger whatsoever, unless the attacker is able to inject more code to be executed, or you have .phps enabled for viewing source code. If you are really worried, move that file outside documentroot. The trigger_error() instead of die() is nice to see, but make sure you don't show the error text to the user. — DaveRandom
– DaveRandom, Commented Jul 27, 2012 at 11:44
the script doesn't output anything, except the trigger_error that in shared hosting, doesn't output to user browser and usually is written to a file, so in the end the user that navigates to that URL will a get a white page. — Gntem
– Gntem, Commented Jul 27, 2012 at 11:45
Is your database server available to the world? Also, see Michael's much better answer in this recent question: stackoverflow.com/questions/11680808/… — Marcus Adams
– Marcus Adams, Commented Jul 27, 2012 at 12:27

Community · Accepted Answer · 2017-05-23 11:48:14Z

8

You should never ever have PHP files with code inside the document root of your website. The only thing in the document root should be a bootstrap file and route all requests through this. If you would have that file inside the document root of your site and for some reason the webserver doesn't parse the file it will be displayed as is.

And please, don't use mysql_* functions for new code. They are no longer maintained and the community has begun the deprecation process. See the red box? Instead you should learn about prepared statements and use either PDO or MySQLi. If you can't decide, this article will help to choose. If you care to learn, here is a good PDO tutorial.

And always use an ecrypted connection (SSL).

See this for routing examples and dispatching patterns. Basically what should happen is: all request are handled by the index.php file under document root. The index.php bootstraps everything (i.e. calls (includes)) another file outside of the document root. This file will check the URL of the request and finds out what file belongs to current URL and executes it.

edited May 23, 2017 at 11:48

CommunityBot

11 silver badge

answered Jul 27, 2012 at 11:44

PeeHaa

73.1k60 gold badges195 silver badges264 bronze badges

Sign up to request clarification or add additional context in comments.

7 Comments

Michael Robinson Over a year ago

/troll warning what about wordpress?

PeeHaa Over a year ago

What about WP? Just don't use it... :-) @MichaelRobinson Have you seen the source. Oh the horror.

Michael Robinson Over a year ago

It is the prime example of how not to do ... anything.

PeeHaa Over a year ago

@GeenHenk Because it is the summer of love I will not call you an idiot

Stack Overflow is garbage Over a year ago

@GeenHenk: then your opinion is wrong. :) Sorry, but prepared queries are pretty much security 101. Anything else is just asking for SQL injection vulnerabilities. There are plenty of places where differing opinions are great, but here, you are wrong, and you desperately need to change your mind, in much the same way as you'd be wrong if you said "In my opinion, I don't like the idea of driving in the same side of the road as everyone else", or "I don't like the idea of having to wash my hands before preparing food for my restaurant"

|

fkerber · Accepted Answer · 2012-07-27 11:45:13Z

1

Typically, this should be secure regarding your config data, if the hacker only has the URL to the file and if your webserver is configured properly so that the raw source code is not revealed.

You can increase security if you place such a config file outside the web root directory.

answered Jul 27, 2012 at 11:45

fkerber

1,0409 silver badges25 bronze badges

Comments

Dejan Marjanović · Accepted Answer · 2012-07-27 12:23:42Z

1

Do not use mysql_* functions.
Put the file in some other place that under the directory for the document root for the web server.
Configure the web server to only allow connections from a list of IP addresses.
Consider using a secure connection (SSL) always and configure the database to only use SSL.

edited Jul 27, 2012 at 12:23

Dejan Marjanović

19.4k7 gold badges54 silver badges67 bronze badges

answered Jul 27, 2012 at 11:47

Ed Heal

60.3k18 gold badges91 silver badges137 bronze badges

Comments

Madara's Ghost · Accepted Answer · 2012-07-27 11:43:59Z

0

Nothing will happen if anyone accesses this page.

Though mysql_* on itself is insecure.

answered Jul 27, 2012 at 11:43

Madara's Ghost

176k52 gold badges274 silver badges314 bronze badges

Comments

long · Accepted Answer · 2012-07-27 11:49:01Z

0

It's safe. You can also store the file outside DocumentRoot.

answered Jul 27, 2012 at 11:49

long

4,4242 gold badges28 silver badges42 bronze badges

Collectives™ on Stack Overflow

Php connection to database: is it secure?

5 Answers 5

7 Comments

Comments

Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

7 Comments

Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related