I've made a simple web page for business clients that operates on MySQL database used mainly by our B2C Prestashop based e-shop. We're using shared hosting. This website is mostly based on jQuery jTable (jtable.org) and is meant to show current, approximate stock of products.

I've used jQuery jTable 'starter pack' and created a simple front-end view for our partners. It looks more or less like the one in jTable tutorial:

        $(document).ready(function () {

        //Prepare jTable
        $('#PeopleTableContainer').jtable({
            title: 'Product Availability',
            actions: {
                listAction: 'someconfigfile.php?action=list',
            },
            fields: {
                column1: {
                    title: 'column1',
                    width: '70%',
                    key: true
                },
                column2: {
                    title: 'column2',
                    width: '30%'
                }
            }
        });

        //Load person list from server
        $('#PeopleTableContainer').jtable('load');

    });

As I only want to show data I have in MySQL database, I've prepared read-only user and I'm using his credentials to access database. As seen in jQuery script, I'm accessing database through someconfigfile.php and 'list' action.

The someconfigfile.php includes MySQL connection string and also my SQL query for populating the table in front-end view. What I want to do for security purposes is to put someconfigfile.php in directory above my public_html folder. Folder containing HTML, PHP and CSS files for front-end will stay below public_html.

My question is:

• Will my password be accessible by anyone if I put it above public_html? My whole front-end code is this jQuery jTable above.
• Am I vulnerable to SQL Injection if I only get data with mysql_fetch_assoc($result) and then print json_encode of the array()? User cannot enter any data here.

Edit: Please also note that from jTable CRUD functions I've only left Read option. Create, Update and Delete options have been removed.

I'm not sure how this works really as I haven't tried it, but learned about it the other day so I thought I'd share.

With GoDaddy, you can point your primary domain name at a sub-directory, therefore creating a new document root before it, so to speak. This may not be the case for other hosts but worth checking.

For example, create a new directory called 'application' in your root directory, upload your application's files there and point your primary domain there (You may need to remove the domain name first and then add it again with the specified directory). You can then include files - your database credentials for example - from before your new document root, which is now not available to the public but available to your application.

NEW STRUCTURE

DB Credentials:

/home/www/html/someSite/dbCredentials.php

Your Website (where primary domain is now pointed):

/home/www/html/someSite/application/index.php

EXAMPLE:

In dbCredentials.php add your credentials:

<?php
$strHostName = “10.10.10.10”; 
$strDbName = “dbname”;
$strUserName = “dbuser”;  
$strPassword = “xxx***xxx”;
?>

On your web page, include the file and use variables as normal:

<?php
require_once ('/home/www/html/someSite/dbCredentials.php');
$db_found = new PDO("mysql:host=$strHostName..........);
?>

SOURCE:

http://support.godaddy.com/help/article/4175/specifying-a-new-default-document-root-on-your-hosting-account?pc_split_value=4&countrysite=uk

If you try it, let me know how it goes.

The password will be stored in your php files and therefore not accessible through a HTTP request even if those files are located under public_html file.

Being on a shared host expose you to the possibility that someone using the same hosting server might be able to get access to your files but I assume your hosting company did everything they have to do in order to restrict access to files intra-customers.

That said, you still need to protect your html files with a password, otherwise anyone would be able to gain access to your database information.