In tutrorials for Connecting to MySQL with PHP you see something similar to the below.
$pdo = new PDO('mysql:host=localhost;dbname=mydb', 'myuser','mypassword');
I have a connection working this way on my localhost but for putting it live what do you do about the password? Do you just leave it as plain text like that in your php file? Or is there a more secure way to handle this?
Nobody can see your connection string if they look at the source, it can only be seen by looking at your raw code. I would also have it inside a separate file, and include the file on your page. This also helps if you need to change the password, as you won't have to edit every page that uses a connection - you'll only need to edit the one file.
Alternatively, you can have a connection string in an include file and place it outside of document root. This stops people getting to this file using a browser or if they attack your FTP. This will help security of your plain-text passwords, but is still accessible if somebody gets/has access to your local directories. To do this, you may need to configure a PHP configuration variable, open_basedir, which allows your script to talk to a file outside of root. This all depends on if you have access to a folder behind root of course, and if you can change that configuration variable.
Other than that, there's not much that can be done.
Include File Example:
Create a file called conn.php and store your connection in there.
$dbConn = mysql_connect($host, $user, $pass);
mysql_select_db("dbName", $dbConn);
On the page that needs the connection, include the conn.php file like so:
<?php
include("conn.php");
if (!dbConn) {
die('Sorry, our database did not load. Please try again later.');
exit();
}
$result = mysql_query("...");
?>
index.php(view file), index.js(js) and check.php(php). All files are in root. User can click a button in index.php(view file) can lead to check.php via ajax. This will work fine. If we enter in url in browser with www.mydomain.com/check.php, others can view the file. How to avoid this?
An end user will never be able to see the text inside a PHP script. They only see what is output by the code. You can put passwords like that in, as long as you never do something like:
$mySecretPassIs='TheBoogeyManCometh';
echo $mySecretPassIs;
Having said that, it is often easier to put your connection details in a script, include it as you need from the various pages and off you go. The benefit is that if you change passwords or the like, you only have to change it in one place, and you can keep these included files in one safe place.
There really is no way around it. Just put that line in a mysql_connect.php file and include() it, so it's not on your source pages.
This way, even if someone is looking at your source, the password won't be immediately available.
Make sure your database permissions only allow that user certain privileges on the database, so even if the password is compromised, they only can modify things in that one database.
