[Resolved] Is it possible for a hacker to get dbase username & password

adrianuk29

At the top of my pages I use the following code to connect to the database

$dbcnx = @mysql_connect("servername","username", "password");

What I wanted to know is if it is possible for a hacker to get hold of this information by sending some code to the page?

Sxooter

That really depends on what's in the rest of your page. but gerenally, unless they can get apache to stop processing php and display your pages with the code showing you should generally be ok.

But again, without seeing your code, who knows what holes you may have open to crackers...

adrianuk29

I have put the sensitive information in to an include so if one day Apache did stop working they would get

$servername etc.... instead of the real path.

Thank you for your help.

Sxooter

A nice way to move them out of the way, is to put the data in a directory outside of the web server's document root, so it can't be browseable, then add that directory to the php.ini file as an include directory and include it from there.

Otherwise, if it's in the path of the web server's doc root then it's still accessable via the web server, possibly.

what I usually do is put the name, pwd, etc in a file that has a wrapper for the dbname_connect() function and returns the handle, and put that out of the way, so every php script can just include it and do something like:

$conn = myconn();

and they're done.