Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I don’t seem to be able to get a straight answer on this, so hopefully somebody can help.
If I include a mysqli_connect() statement in my PHP script and also include my MySQL username and password, will those details be vulnerable at any point? Obviously anything between PHP brackets is not served up on the client side (and therefore should not be viewable when viewing the source etc.) however is there any other way that those details could be compromised?
If, for some reason, PHP suddenly doesn’t work (due to upgrade, corrupt config file, e.g.), the files might get served as HTML and the login information will be made freely available to anybody visting the site. I have seen this happen before.
The best way to get around this, is to move everything out of your webroot, except an
index.phpfile that just includes one file outside of the directory. This also means that your source code won’t get compromised, assuming PHP won’t work.E.g.
/var/www/public_htmlonly holds one file:index.php:And everything else is then located in
/var/www. If PHP then fails, onlyindex.phpwill be compromised.This will make it perfectly safe, unless your server itself gets compromised or you allow users to execute PHP code, but that is a whole other question. Most modular CMS’s also unset all connection variables after the connection has been initialized to avoid one of the modules to be able to accidentally expose anything.