Is it necessary to unset my password variable for my MySQL database.
Currently, my code for my “dbpwd.php” is like this:
# database setup
$dbserver = "localhost";
$db_usrname = "blah";
$db_pwd = "blahblahblah";
$dbname = "blah";
but I was thinking…. is this a securtly concern.. because anyone can just do this:
<?php
include 'http://www.mywebsite.com/dbpwd.php';
echo $db_usrname;
echo $db_pwd;
?>
Wouldn’t that give them full access to my stuff… so is it good practice to unset variables that are sensitive at the end of your php code? or is there something that I am missing?
Edit to clarify…
In this situation listed above… they would be using their own php server (not mine), and using include from there php file to get information from my server.
If someone attempts to perform a remote include via
allow_url_fopento your script, remember that from your server’s point of view that is a regular HTTP request. A properly configured server would then execute the PHP code, rather than send it down as source. So what they would receive, assuming your database configuration file produces no output, would be a blank document. They would not see or have access to your variables.The result is the same as if you pointed your web browser to
http://www.mywebsite.com/dbpwd.php. You would see a blank page.As I mentioned though, this relies on your web server being properly configured to execute PHP code (which it should be if your code runs when requested otherwise). It is always recommended though, to place sensitive files outside the server’s document root to avoid this issue should your server ever become incorrectly configured.
To answer the other part of your question, you do not need to unset any variables. PHP will clean them up when they are no longer needed, and they are not a danger to your security.