0

I need to create a class for connection to the DB. I know that hardcoding DB info is bad such as: 

$user = "xxx";
$password = "yyy";
$server = "zzz";
$dbname = "name";

mysql_connect($user,$password,$server);
mysql_select_db($dbname);

That's why i use "include" such as:

include "config.php"

which contains all the needed variables, and then I can use mysql_connect with them. But as far as i know, this is a bad practice as well. How can I use the mysqli class (extending it?) the easiest way, and ofcourse the safest possible?

Thanks for any tip

Improve this question
2
  • why is hardcoding a security risk? Commented Oct 26, 2012 at 14:00
  • 1
    I would suggest you to use PDO. PDO provides you with a DB abstraction layer and all the classes to access the data, including connection. Commented Oct 26, 2012 at 14:00

4 Answers 4

Reset to default
2

At the end you have to put your connections configuration parameters inside your code. Doesn't matter if it is in a constant, a class, etc....

I don't think hardcoding those values a security risk. Your php scripts ar in the server. So they are protected by the file system permissions and the system permissions as well. If somebody can access your files the security is issue is in the server and not in the php script.

Use PDO, it has classes to handle db access.

From the PDO php manual:

The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP.

Connections are established by creating instances of the PDO base class.

Example #1 Connecting to MySQL

 <?php
 $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
 ?>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

If you quote material from an outside source, please make sure you reference it as such. I've edited your question to show how this should be attributed.
1

I can't really answer your question right now, but as a tip, watch this video.

It's a PHP Security series that may help you there:

https://www.youtube.com/watch?v=Nx-g-0ynP_I

If it doesn't work search for PHP Security part 1 on youtube!

Hope it helps!

Improve this answer

Comments

1

There's nothing terribly insecure about hard coding database constants (as others have stated, they have to be somewhere...) though like you note it's a good idea to have these values in a separate file. I'd suggest going one step further and not tracking this file in source control, instead create a template, such as config.base.php which you copy over to config.php and configure per server. There are other options (where I work, we track these files, but name them $(hostname).php which allows for some clever import-chaining, but isn't necessary) but this is an easy, safe one, with the advantage of keeping these values out of your version control. This allows the code to be distributable without providing these passwords.

The bigger security issue to concern yourself with is locking down your front-facing MySQL user to only have the permissions you need your webapp to have. For instance, generally it's a bad idea for your website to be CREATEing or ALTERing tables live, so it's often a good idea to not grant those privileges to the user your website uses, and have a different, higher privileged user that you use directly to make schema changes offline.

To your question, I do the following in a common.php class to create my MySQLi connection:

require_once($_SERVER['DOCUMENT_ROOT'].'/includes/config.php');
$db = @new mysqli(MYSQL_HOST,MYSQL_USER,MYSQL_PASS,MYSQL_DB);
if(mysqli_connect_errno())
{
    if(DEBUG_MODE)
        $template->error('Failed To Connect To Database: '.mysqli_connect_errno().': '.mysqli_connect_error());
    else
        $template->error('Failed To Connect To Database.  Try reloading the page.  If this error persists, <a href="/contact.php">let me know</a>.');
}
Improve this answer

Comments

0

All the proposed answers could be correct I guess, but for my purpose and circumstances, i created a file that includes mysqli object creation and connection to DB with some functions for escaping data. Than I just include the file in all other .php's that need DB connections and it's very easy to use and execute queries. If someone needs more info or examples let me know.

Thanks to all

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.