Menu
Hello guys I'm new to php and I discovered that for a database connection you input your password directly into .php file ("mysql_connect($host, $user, $pass, $db"). I read about hashing and I'm going to use hashing but the question is can the user download the precompiled .php file and view my source code and therefore get my database password. If he writes "domain/home" i have an index.php file which prevents the user from entering the directory. Thank you in advance.
834
PHP provides a native password hashing API that safely handles both hashing and verifying passwords in a secure manner. Another option is the crypt() function, which supports several hashing algorithms.
password_hash() function provides the facility to securely store the password of the user to the database. Example: First parameter Password will contain the normal password. The second Parameter will contain PASSWORD_BCRYPT to make secure otherwise it contains PASSWORD_DEFAULT as default.
Retrieve DB Pass via wp-config. php The easiest and least invasive way to retrieve that password is to simply check your wp-config. php file and get the listed password from there.
As mentioned by other answerers, normally this shouldn't be a problem since users won't be able to see the PHP code. If, however, you plan to share the code with others, it can be a bit of a hassle to remove the username and password before sending it to somebody (and, if you forget they'll know your password).
So, you could put the info in a file and then read it into PHP. For example, create a file called mysql.ini in your home directory and put the following information in it:
host = "127.0.0.1"
username = "user"
password = "pass"
database = "db"
Then, read it into PHP and connect, like this:
$settings = parse_ini_file('/home/mysql.ini');
mysql_connect($settings['host'], $settings['username'], $settings['password'], $settings['database']);
Remember to make sure that the file is in a section of the web server that is not publicly accessible, though, otherwise people will be able to read your login info.
149
You cannot hash the MySQL password and still connect to the database. If you could connect with a hashed password, an attacker could get the hash and connect just as well. Hashing (even better when salted) is a good thing for if you're storing passwords for your users in a database, but isn't really usable when storing database credentials.
Most people, rather than directly including a mysql_connect call with all the credentials in their main application file, would at least require a configuration file from outside the document root containing the credentials.
If you have a file like config.php outside of the document root, then unless they can find a directory traversal hole in the server, config.php cannot be accessed remotely.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
