Menu
I want to know what is the best practice or what is recommended to do when a variables are created for MySQL credentials/host.
define('HOST', 'localhost'); // etc.. mysql_connect(HOST, // etc... vs
$host = 'localhost'; // etc.. mysql_connect($host, // etc... For both you can easily check what are the declared variables or constants and maybe can find what are the value easily. I have code that multiple users can share and use.
What is the best way to protect these variables?
792
This means that anyone can attempt to connect to the server using any user name, so you cannot make a database secure in any way unless all MySQL accounts have passwords. Anyone who specifies a user name for an account that has no password can connect successfully to the server.
MySQL stores credentials in the user table in the mysql system database. Operations that assign or modify passwords are permitted only to users with the CREATE USER privilege, or, alternatively, privileges for the mysql database ( INSERT privilege to create new accounts, UPDATE privilege to modify existing accounts).
To persist a global system variable to the mysqld-auto. cnf option file in the data directory, precede the variable name by the PERSIST keyword or the @@PERSIST. qualifier: SET PERSIST max_connections = 1000; SET @@PERSIST.
System variables can be set at server startup using options on the command line or in an option file. Most of them can be changed dynamically while the server is running by means of the SET statement, which enables you to modify operation of the server without having to stop and restart it.
Here's few solutions
1) You give each user a user and password and each user has their permissions in the database (only select, or insert ect..). So in your code you simply include a db.config.php so all the variables are set. It does not really matter if the user echo the variables since they use their own.
2) you can give a common username/pass for the database and then encode the file (either using custom encoding, zend optimizer or ioncube and unset the variables. Here's a sample code:
// file mysql_connect.php $link = mysql_connect("localhost", "mysql_user", "mysql_password") or die("cannot connect to database : " . mysql_error()); // then this file is encoded so nobody can view it. 3) At some point, someone, somehow will be able to find this information. I would simply recommend to trust your user (assuming these are developers)
129
At some point in your code you will have to hardcode this kind of information, the important thing is to keep it in only one place to promote maintanability. However, as you are worried about security I suggest you to check this: Convert PHP file to binary
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
