Securing mysql_connect script

Shendrick

Greetings all,

I did a search, but I didn't find anything that seemed similar, but I apologize if this has been covered before. What I have is a PHP/MySQL website that I've been working on. It works fine, and I've got no issues, generally, but I'm having some difficulty because of the server I've got it on.

Normally, when I create these pages, I put the script for connecting to the DB in the directory above the public directory, so that it's not accessible to the public, but accessible to the script. However, the server admins won't let me do this on the current server I'm setting this up on.

So, is there another good way to secure the access script, so not just anyone can access it?

Any help is appreciated.

Shendrick

liquorvicar

if your host has enabled .htaccess then you may be able to set the DB credentials via Apache's SetEnv
directive.

Shendrick

Thanks for the response. That's something I didn't know. It turns out that (I'm embarrassed to say), the admins have set up a directory for such things that I didn't know about, so I can place my script outside of the public directory, after all. I just now found out about it, of course, after I sent out a message.

Just out of curiosity, though, which is more secure, do you think? The environment variable, or placing access scripts out of the public directory?

Shendrick

liquorvicar

well, the danger with Environment variables is that they can be exposed by doing a print_r($_SERVER) or even a phpinfo(). it's up to you to make sure these aren't left open - i always disable phpinfo in my php.ini.

there may be issues with the include directory method if you use filesystem methods.

interestingly, the PHPSec consortium advocate the Environment variables method, but i'd be interested to hear other input on this.