Question
Hi I'm reading a PHP textbook. Right now I'm learning how to connect to a DB using mysqli.
Here's some code from the script:
https://stackoverflow.com/questions/18290093
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDEFINE ('DB_USER', 'myname');
DEFINE ('DB_PASSWORD', 'local123');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'sitename');
The script then uses mysqli to make a db connection.
A paragraph reads "Since the file contains information - the db access data that must be kept private, the script will use a .php extension because, even if malicious users ran the script in their browser, they would not see the content of the script."
I was curious and ran the script with httpfox open. Looks the connection DOES show all the sensitive info! If you click on the content tab.
So using .php adds no security?
Solution 2
Make sure that PHP-code is enclosed in <?php and ?>. Code that is not enclosed in <?php and ?> is interpreted by PHP as output that should be send to the browser. so you should do something like
<?php
DEFINE ('DB_USER', 'myname');
DEFINE ('DB_PASSWORD', 'local123');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'sitename');
?>
OTHER TIPS
Also note that having sensitive information (such as a database login) in a .php file does not preclude unauthorized users from accessing the file. The permissions used on the file system of the web server running the file and the security on the web server itself will have a huge impact as to whether malicious users will be able to gain access to the contents of the file.
That being said, as far as I know, there is no 100% safe way to store a database login (or any sensitive information) in a PHP file.
