Protecting a Database

mrgrammar

If I have a form that writes data to a database and retrieves data based on the form input, is it possible for someone to actually access the database itself through some type of hack of the form and be able to get the data?

If so, what do I need to do to protect the database?

laserlight

mrgrammar wrote:
If I have a form that writes data to a database and retrieves data based on the form input, is it possible for someone to actually access the database itself through some type of hack of the form and be able to get the data?

In a way, yes, through SQL injection.

mrgrammar wrote:
If so, what do I need to do to protect the database?

Protect against SQL injection. Keep the database login credentials stored in a file outside of the public document root.

mrgrammar

How do I then access that file for use in connecting to the database?

laserlight

mrgrammar wrote:
How do I then access that file for use in connecting to the database?

Just include it.

Bjom

If you are afraid of someone being able to see what's inside that DB connection include script...that's not possible through the form. Only if the webserver is setup so horribly that anyone can see what's inside the folder with the php scripts and open those scripts for editing would it be possible for someone to steal your DB credentials.

The much more realistic threat is what laserlight pointed at.