My question is whether or not it is possible to allow DB connections ONLY from a certain domain. I suppose this could be done by checking the referral URL, but I was curious if there is an easier way.
The reason I am asking this is because I had a thought of someone randomly searching for the config.php file on my server and, if they found out, would simply be able to include it and run mysql queries at will. This is definitely something I would not want.
Is it better to just hide the config file in an unusual place?
Thanks in advance,
Phil
First of all, your config.php should not be publicly accessible from the web. Your Web Server should be able to include the file, when needed, but the file itself should never be served up in your web server. With the correct configuration, you shouldn’t have to worry about someone “finding” your config.php via a browser.
Also, on the database side, you should setup your database so that it only accepts connections from your web server(s). It should not be publicly accessible to anyone on the internet.
If someone is already on your web server that shouldn’t be there, you probably have bigger issues. This might be unavoidable in some shared hosting scenarios, but if that’s a concern, get a private server or a hosting provider that will correctly set up permissions for you.