Secured Connection to SQL

jjoves

Question regarding the most secured way to have your connection file (ie: connect_to_mysql.inc) coded.

some set their codes with this:

DEFINE (DB_USER, "username");
DEFINE (DB_PASSWORD, "password");
DEFINE (DB_HOST, "localhost");
DEFINE (DB_NAME, "database_name");

$db_connection = mysql_connect (DB_HOST, DB_USER, DB_PASSWORD);

and some use this:

<?php
$link = mysql_connect("localhost", "user", "password")
or die("Could not connect: " . mysql_error());
print ("Connected successfully");
mysql_close($link);
?>

What is the most secured and the best way to code a connection to MySQL and

eoghain

Well the safest way is to have a included file hold your connection information and have that included file exist outside of your web root. As long as you do it this way then it doesn't matter if that file holds just the connection variables, or if it holds the actual connection code. What you are trying to avoid is someone being able to access that file directly and thus getting your connection information.

jjoves

So if I was to use include() in my script as the connection and upload it outside the root folder -

would this code do it

<?php
$link = mysql_connect("localhost", "user", "password")
or die("Could not connect: " . mysql_error());
print ("Connected successfully");
mysql_close($link);
?>

eoghain

Certainly, you just need to remember that when you include that script piece you'll have a variable called $link that is attached to the specific database as the given user.

Personally I have a class that I wrote that does the work of connecting to the database for me, but I still have to supply the username/password/database information to it, and I hold this information in a script outside of my webroot and include that. This way if I happen to need to connect to a different database then I have that ability.

<?php
   // db_connection.inc
   $user = "username";
   $pass = "password";
   $db = "databasename";
   $host = "localhost";
?>

<?php
   // All pages that use database
   include ("/home/eoghain/includes/db_connection.inc");

   // Custom class to handle database connection
   $db = new DBConnection($user, $pass, $db, $host); 
?>

jjoves

This mailerconnect.inc file is to mainly connect to a specific database and specific table---

database=mailing_list
table=mail_list
username=mailer
password=password

so would my "mailerconnect.inc" be like this:

<?php
// -- db specifics --
$user = "mailer";
$pass = "password";
$db = "mailing_list";
$host = "localhost";

mysql_connect("localhost", "user", "pass")
or die("Could not connect: " . mysql_error());
print ("Connected successfully");
mysql_close($link);

My future set up would be to have different dbconnect "INC" file for specific users and different mysql_connect "INC" file for different database. So when I code my all I have to do is use the include() depending on who wants to connect and which database theyre using...I dont know if that make sense but I figured it's like assigning a token for each script depending on what needs to be done...