mysql/php is this a secure way to connect to mysql

2020-07-30 00:50发布

问题:

Ok , so many people are asking this question, and there are many approaches on how to make the connection to DB secure,

Now I did some googling , many suggest, putting the connection to DB code in a file outside the html_public , and to call it from there when I need to make a connection.

to be honest, am happy with what I have, though I'm not sure how secure it is,

this is how I connect to the DB:

first, I make sure all inputs are fully escaped and validated...

after , in the same page , i make the connection, for example:

mysql_connect("localhost","Admin","Password") or 
die ("DB Connection Error");
mysql_select_db("Users") or die ("DB Error");

and the rest of the code after, I close the mysql connection.

Now , It just don't feel right that the DB user info are written in the page, but how can someone (a "hacker") , get this info?

I mean , all inputs are fully escaped and validated, the users I use have very limited previleges, like select and update... only.

Is this secure?? and if not, can u please suggest a more secure way?

Thank you very much for ur help in advance :)

shady

回答1:

The reason you should consider putting this file outside the web root is that some hosting providers have temporarily stopped interpreting PHP from time to time (due to configuration faults, often after an update on their part). The code will then get sent in clear text and the password will be out in the wild.

Consider this directory structure, where public_html is the web root:

/include1.php
/public_html/index.php
/public_html/includes/include0.php

Now consider this index.php:

<?php
include('includes/include0.php');
do_db_work_and_serve_page_to_visitor();
?>

If the web server starts serving this file in the open, it won't take long before someone tries to download include0.php. Nobody will be able to download include1.php, however, because it's outside the web root and therefore never handled by the web server.



回答2:

I've personally not heard of a hosting provider not interpreting PHP, leading to your php source code going public. I just did a quick test on this on a RHEL5-Based server without php installed, and just got back a blank page when trying to access a php document.

mysql_* functions have become deprecated with the latest releases of php, and are now moving towards mysqli, as an overall more efficient and secure solution; I'd recommend taking a look into that; http://php.net/manual/en/book.mysqli.php - there's no deprecation errors or anything of the sort yet in PHP5.4 for using plain mysql_ functions, but if you're looking to keep on top of things, take a look into mysqli.

As for a quick answer to your above question, to be honest, I'd see that method as reasonably secure. Just make sure you've got escape chars etc set up, and I don't think you'll run into any issues.

Edit: Some people have posted that in very rare cases, some providers can leak your php source code in this manner. If this is the case, my first advice would be to switch provider.. but using an include_once to load your db info from another php file/lib would be a quick workaround for this. But again, if your provider's setup does allow for leaks such as these, I would be more concerned about their security than yours.

You can have php grab your DB password from a text file stored outside of the public webspace (using fopen), but I personally don't see any real reason for doing this.

Best of luck!

  • Eoghan


回答3:

The best pratice is to use PHP PDO instead of the old mysql API.

Take a look: http://php.net/manual/en/ref.pdo-mysql.connection.php

Also, here's an interesting article: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/