https://stackoverflow.com/questions/22617522
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianNo, but for additional security, it's best to keep your sensitive files outside of the web root, in case a misconfiguration of your webserver breaks PHP and exposes it as plain text.
PHP - MySQL Security Issue?
Question
Just wondering is this could be a potential security problem with MySQL and PHP:
I have a connect.php file on a server, if someone used require(http://myurl.com/connect.php/);, would this allow them access to my database?
Thanks in advance
Solution
OTHER TIPS
No, that would not allow them to connect to your database. When they require your connect.php over Internet, they get what is produced by this php script as output. In your case, your php script (connect.php) probably produces nothing as output (it just connects to db and terminates.
No, PHP variables are not accessible client side. For example a file like this
<?php
// Create connection
$con=mysqli_connect("example.com","peter","abc123","my_db");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
The $con variable would not be accessible publicly.
Probably not. If "someone" does require(http://myurl.com/connect.php/); from his server (and has the inclusion via http enabled, see http://www.php.net/manual/en/function.include.php), then his server connects to your server and fetches the interpreted output of your connect.php.
If you have 'server side include' enabled - yes.
Read about allow_url_include directive: http://www.php.net/manual/en/filesystem.configuration.php
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
