I have an HTML file with a Form on it, where once the user clicks "submit", a PHP file is called which connects to a MySQL database and updates it with data from the Form.
Question is, how do I mask/hide the passwords to the MySQL database in my PHP code file?
I'm reading all sorts of things about working with "config" files and/or moving things into different directories so as to prevent others from accessing them - I get it in theory - but what are the actual steps I'm supposed to take to make this happen? Like where do I start? What's step #1, what's step#2, etc?
Everyone seems to offer little snippets of code, but I haven't found any good start-to-finish tutorial on this.
I called GoDaddy - where my account & DB are sitting - to see if their tech-support guys could help - no one was able to tell me what exactly to do, where to start, etc.
Can anyone out there help?
I think the other answers here are missing the point. If I'm not mistaken, you're talking about your mysql user password. The one which you use to establish a connection to the database in the first place. Right?
Well, you don't hide this. It's in a php file which is code. The public can't read your code (assuming your server is secure) so don't worry about that. Yes, your password is stored simply as text in a php file. It's fine.
A PHP file can include other PHP files that are outside the document root. So if you make a config file (in your case it could just be a fancy name for a file that defines a bunch of variables) and place it outside the document root of your webserver, and then include this file in your client-facing PHP file, that should do the trick.
The reason to put it outside your client-facing PHP file and outside the document root is if somehow through some exploit someone was able to access the actual PHP code.
EDIT following comment from OP:
Your config file could be just like any other PHP file, beginning with <?php and ending with ?>. In between you would define at least one or two variables - $db_username and $db_password and set them equal to their corresponding values. Make note of where you put this file, and in the file that needs to establish a DB connection, just put include('/path/to/config/file'); and use the variables you defined in the mysql_connect command.
Related
new-bee with this question.
so, enlightened ones, don't hastily down vote this question.
here's the explanation why this question arose:
in times when PHP engine doesn't start (because of any reason), our PHP code is shown as plain text.
to avoid this, before shifting to laravel, i used to keep code files in parent folder to "public_html" and include it where ever i wanted.
e.g.
my index.php is in:
public_html\index.php
inside this index file i write
include("..\code4index.php");
in this case if PHP engine fails, viewer will only see include("..\code4index.php"); as text
and as this "code4index.php" is out of the scope of website folder "public_html", it is not accessible.
now i am shifting to laravel.
what will happen if php doesn't start by some reason.
will my code be visible to all?
if yes, what must i do to avoid this?
if CodeIgniter provides this, i would give it a chance.
i want my code to be inaccessible in any circumstances.
what will happen if PHP doesn't start by some reason?
will my code be visible to all?
YES, it will be visible as normal text. and it will try to execute your index.php or root file of the application.
And you can't achieve this anyway.
I have files in a directory, "w", and I want to have those same files accessible from a different directory.
I have a MediaWiki installation in the directory 'w', creating a short url to link to the url 'wiki'. I have the files in the 'w' directory but it can be accessed from http://example.com/wiki. I want to have a second wiki entirely with the url format of http://example.com/second-wiki.
Since MediaWiki uses the content of files from a database the code never actually needs to change, even the LocalSettings.php. I set up a database system, modified the MediaWiki system, and created multi wiki support in a single database, by using a database table with input information such as the url to use. Or even use the same files and add a localsettings.php file to a directory 'w2' but use everything else from the original directory, 'w'. Is this possible? Preferably using .htaccess, or some other equally easy to edit. I don't want any changes to php configuration though.
I believe this may help...... - it is a simple redirect done in PHP so it is easy to edit later, etc.
I'll work with the fact you have a 'w' directory accessed by http://example.com/wiki and you want to access that through http://example.com/second-wiki (where 'magic' will be done to actually open the other URL).
In the 'w2' folder, make an index.php file with the following contents:
<?php
header("Location: ../w");
// NOTE: you may need to make that w/index.php or other pointer
exit();
Now, any time you access http://example.com/second-wiki, you will actually see http://example.com/wiki
Simple and easy to change later if you need to!
Not sure from the question that this is the solution (it fits the topic and some of the question text, though the question text does 'jump around' a bit...) - if it isn't, please rephrase the question to be more clear on just what you are looking for (in one place you say "the code never actually needs to change, even the LocalSettings.php" - then in another you talk about needing separate settings.....) - however, if you are looking for the 'simplest' (IMHO) way to make multiple URLs point to the same folder, this is the way to go - pure PHP and easy to mod later!
I would like to write a script to edit a css file or maybe even a slideshow for instance where a form will update the variables in my php document. I've been doing some reading and some say editing a php file directly is bad news due to security issues and to use xml.
I am not connecting to databases or anything like that. So my question is is this correct to write script to directly write/update a php file to changes its variables?
Thank you.
if you can correctly sanitize your input then it is a usable aproach. The worst that can happen is code injection. So do check for variable length and content very strictly. It is like eval(); only worse, as everyone else will run it to. If there are only variables to change you might consider using an .ini file for configuration. And Use the data in that from your PHP script
In general you should not run PHP scripts as a user with permissions to write to its own executable code; it means any file write vulnerability immediately escalates to a code execution vulnerability.
Writing dynamic data into a PHP file is risky. You would need to know how to serialise/escape any value to a PHP literal exactly; any error could result in code execution. Watertight code generation is in general a tricky thing.
There is almost certainly a better way to approach whatever it is you are doing. Putting data in a static store such as a config file or database, and reading the data at run-time, would seem to be the place to start.
Let's say you have a config.php that holds sensitive information like a DB user password. It is not recommended to store that file in the document root, right?
Why is that so and is it a safer approach to store sensitive information in the index.php of the document root?
For me, the first scenario that comes to mind is a misconfiguration that lets users download or view .php files, rather than parse them and present them as text/html. Say you perform an upgrade, something goes wrong, and Apache is no longer parsing your scripts. Somebody notices that Apache is sending your PHP files as plain text, and is able to open config.php and see the source code (and all the sensitive database configuration parameters inside).
To take this idea just a little bit further. Ideally you wouldn't store much more than a simple script that accesses your codebase, and your static files like images and css in the web root.
eg:
webroot/index.php
webroot/images/img1.jpg
webroot/images/img2.jpg
webroot/css/base.css
lib/myclass1.php
lib/myclass2.php
And your index.php would look something like this:
<?php
$CODEBASE = '/usr/home/wwwuser/wherever/it/is';
include $CODEBASE."/lib/myclass1.php";
$code = new MyClass1();
$code->doStuff();
?>
It's not a safer approach to store configuration data in index.php than config.php; they are both equally prone to being displayed if PHP somehow fails to parse their contents. The advantage to using a separate file for configuration data is that you may limit access to it, effectively preventing anyone from reading it over the HTTP protocol and keeping your data safe(r) even if PHP isn't parsing it.
Ok so this is my situation...a web application in PHP uses a "config" file for various parameters. This config file is nothing but a php file, say config.php with a global array of the form
$config['param_name'] = 'param_value';
$config['param_name2'] = 'param_value2';
Now I am currently writing an admin app that I want to use to control the main app. One of the things I want the admin app to be able to do is change the config values. So my use case will be something like change the value through an html form element and it should change the config.php replacing the value of the corresponding array index.
This is obviously not specific to php; but I'd love to hear some ideas on how one would go about editing this file. Any ideas?
Thanks!
I have another suggestion: have the configuration parameters sit in a database. Have your admin console work on the database instead.
If you are worried about performance, use APC to cache the parameters.
This way, you can add this configuration database to your other database backup procedure you have already in place.
I would suggest moving all configurable options out of the PHP file and into an external storage (INI file, database, xml, anything). Then you can initialize all the variables you read from the external file in your application's bootstrap file
Another option is to modify the PHP configuration file so it reads its information from an easy-to-access format like YAML.
That way the config file could be accessed by just about any language. A good alternative if you don't want yo use a database.