protecting password in mysql_pconnect function

ken72

Hi all,

I am pretty new at this stuff and was wandering whether someone can advise me how to protect my username and password in mysql_pconnect("localhost", "user","password") in a php scrip that connects on to my MYSQL database.

Maybe I am a little confused, does the username and password even need to be protected or can you just leave it in the code as it cannot be viewed by the internet browser executing the script. Or do I need to meke user and password a variable and put it in another folder. If so which folder?

hand

Put your connect string into a seperate script, if possible store it outside of the webserver root and include it whenever you need a connect.

1st advantage: You have only one place where you have adminitrate userid/password,
2nd advantage: Webuser can't access files outside webserver root directly

<?
// connect.inc.php
mysql_pconnect("localhost", "user","password") 
?>

<?
// anyscript.php
include "/usr/local/wherever/connect.inc.php"; // Script needs a connect to the db

Another posibility is to define user, host and password at php.ini

; Default host for mysql_connect() (doesn't apply in safe mode).
mysql.default_host =

; Default user for mysql_connect() (doesn't apply in safe mode).
mysql.default_user =

; Default password for mysql_connect() (doesn't apply in safe mode).
; Note that this is generally a *bad* idea to store passwords in this file.
; *Any* user with PHP access can run 'echo cfg_get_var("mysql.default_password")
; and reveal this password!  And of course, any users with read access to this
; file will be able to reveal the password as well.
mysql.default_password =

[deleted]

Who are you trying to protect the password from?

Putting the passwordin php.ini makes it readable to any script that is executed, and easy to find because it's in php.ini.

Putting it in a file outside the docroot is also still readable to every script. And which file to read is stored in every script that reads the file.

ken72

Thanks Hand & Vincente,

I am try to proctect my username and password from whoever cares to crack into the MYSQL database that is used on my site. At the moment all my files are saved in my webhost directory under a folder called www. I have now created the script suggested by hand and called it connect.php and placed it in a new folder called files that is in the www folder. Is that the best place to put it?

This is probably a very basic question but what do you guys mean by root directory? And why do people always say it is a bad idea to place passwords in the root directory?

Thanks again.

Kind regards,

Ken

gte604j

I have to do this for one of my clients pretty soon.

what i think i will do is compile a extension to php in c and have the username and password in that. I was also going to store a key for encryption in there too.

sorry i cant be of more hep but that is what i am going to be doing

jake