0

Okay, I'm very new to web programming. I'm creating my own database-driven website. I'm attempting to setup an admin login to update the site's content. I'm worried about acessing my mySQL databse securely however.

I intend to have the database search for the given username, and then compare the password hash to the hash of the given password.

My worry is in setting up the connection to the mySQL datbase.

from what I see, the way to do this is via:

<?php
    $myConn=mysqli_connect(host,user,pass,dbName);
>

Now I intend to pass this to javascript to check all the credentials but if this is defined in the HTML file, then the login details would be plain for all to see yes?

Or, should I define it in an external .js file that will to the checking? I'm still worried if that is safe enough?

Improve this question
5
  • it's always a good practice to processes/validate the credentials in your backend Commented Oct 4, 2013 at 3:35
  • what is exactly considered the backend? .js files? Like I said I'm very new to web programming. Commented Oct 4, 2013 at 3:39
  • You don't pass the connection directly to the javascript. If you want to do Ajax, you make a PHP page that receive the credentials and returns whether they are valid or not (probably also creating a session if they're valid). Your DB user/pass should be only in the backend (the PHP scripts). Commented Oct 4, 2013 at 3:39
  • PHP is backend/server side scripting while js are front-end script. It's much easy to validate data in PHP with mysql. Commented Oct 4, 2013 at 3:41
  • @Sevvy325 what exactly are you passing to JavaScript? The MySQL connection? That is not possible. Commented Oct 4, 2013 at 3:48

1 Answer 1

Reset to default
3

I think you are a bit confused there so i will try to explain it very simple.

Front End - Client Side: HTML , CSS , JavaScript Back End - Server Side: PHP , SQL

Everything on the Front End... can not be trusted, as it is accessible by everyone. Then why we are validating with JavaScript? Just to help users with typos... simple as that...

All your security, is at the Back End. You validate with PHP all the values submitted from the Front End and then you perform the required actions on your Database with SQL.

You should never pass anything to JS that you don't want your users to see/access. You should do that via PHP.

Does this help you/clear the things a bit?

PS: from my understanding you are creating a login for your project right? Find below some links with tutorials step by step that might help you.

  1. http://www.phpeasystep.com/phptu/6.html
  2. http://php.about.com/od/finishedphp1/ss/php_login_code.htm
  3. http://www.wikihow.com/Create-a-Basic-Login-Script-in-PHP
  4. http://www.homeandlearn.co.uk/php/php14p2.html
  5. http://phpsnips.com/4/Simple-User-Login#.Uk41QYZmi-0
  6. http://www.html-form-guide.com/php-form/php-login-form.html
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thanks very much for taking the time to expand a bit on this concept. I'm going through the same thing now, and have a good handle on it. I understand everything you said except the "...never pass anything to JS that you don't want your users to see/access". Do you mean pass from server to client, or do you mean user to js? Thanks!
@TimSPQR Just think of it like this. Everything you handle with JS can be changed by the user. It doesn't require advanced web developer skills for someone to inspect a page with any browser and check your JavaScript and see what values you have there. So never have anything in JS that has to do with your Database connection or Passwords (except for example when you are validating the strenght of a new password input) etc.
So if I include some php in my html file, would that still be accessible? Or is would that be hidden from client side? I really am just getting started, and really appreciate the clarification you've provided!
@Thanos - Ok, now I know what you meant - JS is "visible" with "view source" (in IE), and therefore can be known. Thanks very much!
@Sevvy325 - I struggled with this a few months ago - Just remember that ANY php code on the page that you write is processed by the server prior to the page being sent to the client - and so if you write "<?php echo "Hello World" ?> on your page, it will never be seen - the server will process the line, and only send over the - Hello World -. Try this next time you're coding - write a large php comment <?php /* comment stuff etc */?> on your page, and ONLY YOU can see it on your coded page, and the user can NEVER see it.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.