secure my log on to MySql database

Josephpham

To all the experts,
I just have a MySql / PHP myAdmin with Yahoo. I am teaching myself to build a database for my website. (Yahoo support PHP version 4)

Problem: Everytime I need to connect to my database.. from the client side, I have to pass my host name, username, and password along. I heard that is unsecured. Does anyway I can protect it?
I have my Host, UserName, Password in a different PHP file called "passw.php" and have the "include('passw.php') to call that logon info when I need it. Does anyone please teach me the best way to protect this? or any other correct way how to do? I am very dump in PHP and mySql, if you have a piece of code it would be helpful.

Thanks in advance.

drew010

if the mysql server is localhost, then the username and password details are never passed over the network for anyone else to see.
if the mysql server is a remote server, it could be possible for users on your network, the destination network, or any in between that the data passes through to potentially sniff and detect your passwords. but the nice thing about mysql is that the usernames are also limited to a host.

for example, you login with
mysql_connect("remotesqlhost.com", "myuser", "mypassword");

you are actually identified as myuser@yourhostname so even if a person does have your sql password, they cant connect to the database unless their hostname matches what is allowed. for example if i wanted to connect to my sql server at work from home, i would first have to create a user drew010@12.34.56.78 (where 12.34.56.78 is my home ip).
that way when i run
mysql_connect("myserver.com", "drew010", "pass");
im actually identified as drew010@12.34.56.78, so if someone from the ip 11.22.33.44 tries to connect they will be identified as drew010@11.22.33.44 and that is not a valid user, so they wont be granted access.

Josephpham

mysql server is a remote server, I host with Yahoo.com, the host name by default is "mysql" I have a "search" button on my page for the internet end user to search items on my database to get the availability, pricing etc.. therefore my search.php must have "mysql_connect("mysql, "myusername", "mypassword"); to connect to my database to get the info. Is this unsecured? Any otherway to do? please help!

bodzan

This file pretty much says it all...

But for starters make a access file that has your access credentials and set it outside your web root so it can't be accessed from outside (i.e. it will have no URL related to it so it can't be used)...

Then in every one of your scripts that call out to this database include or require this file...

The thing is like this:
Say you have a file named config.php where your access credentials are made like this:

$DB_HOST = "db_host";
$DB_NAME = "db_name";
$DB_USER = "db_username";
$DB_PASS = "db_pass";

Then on the page that you need connection to this database you make a call like this:

$dblink = mysql_connect($DB_HOST,$DB_USER,$DB_PASS);
mysql_select_db($DB_NAME,$dblink);

And you have a connection...

Now some more info on placing a file outside a web root:
Say you have a path to your web folder like: /usr/name/www/
You should place your config.php file previously mentioned somewhere like /usr/name/secure/
Next wherever you need to call for him you can call him by /usr/name/secure/config.php
And that's prety much it...

For the rest read on that file I gave you because you can learn a lot...

I'm no expert on this mater: I just read stuff...