currently i am storing connection data in php file. but like recently happen with facebook, that php files were appear on screen without processing , to avoid such scenario is their any other alternative?
4 Answers
Put your file which contains connection string Eg: connect.php outside the webroot folder.
If you're that concerned, add an htaccess exception that makes the "connection string" file inaccessible from the web.
RewriteRule /path/to/dbsettings.php /index.php [NC]
I believe that's correct, though little rusty in the htaccess field. Any gurus feel free to correct me.
Comments
Store your private connection information in a file outside of your document root folder and use require_once to load it.
That way, if something happens, users cannot go to http://yoursite/db.config.php and download your file.
1 Comment
subash
i am using shared host...so do u mean i need to put file outside public_html folder?
Our solution is to keep a tiny my.cnf with just the [client] section defined. Most MySQL connectors have a "read_defaults_file" directive which allows you to use the file directly.
You can then keep that file under security, and the script will fail at that line if the user is not authorized for that information.
If you are using at least php5, mysqli::options does exactly what I describe when MYSQLI_READ_DEFAULT_FILE is specified. On older php versions, it looks like the builtin parse_ini_file will do the trick of parsing.
This approach has the advantage of being compatible with Perl, Python, and C, so that if your database info changes, you just update one file, and all your applications stay in sync.
