[Resolved] open_db.inc security - newbie question

helil

I´d like to know if my "open_db.inc" (file to open my database, with username and password) should be protected in any way (how)?
BTW, I use a third-part ISP.

thanks in advance,
helil

cgraz

yes, don't use .inc extension. Anyone can just type in the path to your .inc file and view all your info as plain text. Save it as

open_db.inc.php

.php extensions don't appear as plain text in the browser, and all your passwords will be hidden, even if the person tries to view the source.

Cgraz

helil

beautyful. thanks a lot.

vboyz

what happend if they try to download that file?

s_shrum

I actually do DB settings in a PHP code block, ala:

db_settings.php

<?php

$server="myserver.com";
$username="me";
$password="password";

?>

Then just do a require statement in your PHP scripts and use the variable names in your connect string.

This way, if someone does call your db_settings.php file, nothing is displayed...the script returns nothing to the browser.

Sean Shrum

ssanders82

Hi, I am a newbie too and this got me worried b/c I put my db connect in a .INC also. I searched around and it seems like the consensus is that this is a big no-no. However I typed in the .INC path in my browser and it said Forbidden - you don't have permission... Is this still safe? Should I still rename to .php extension? Also, I read that you shouldn't put the connect file in the regular directory, but in the root directory. I went up to root in my FTP and tried to upload, but got "permission denied." So I went to online File Manager for my web page but it didn't give me the option of changing the permissions for the root directory or anything above /www/www. Is this normal, and should I be worried? i couldn't find much on these boards about this so if anyone could help me out i would appreciate it. I am still unclear on how secure/vulnerable my page is. thanks.

cgraz

it wouldn't hurt to change it to a .php extension, just in case.

Cgraz