Re: [PHP] Password in script
The GRANT USAGE statement creates a user with no priveleges ... the user exists but can't do anything. See MySQL Manual section 6.13 Michael On Fri, 19 Jul 2002, Sailom wrote: > I just checked grant and it said something like... > GRANT USAGE ON *.* TO 'X'@'%' IDENTIFIED BY . > Does this means user named 'X' can log in from any server? This may be > a silly question. > > > "Jonathan Rosenberg" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Yes, but if you're on a shared server, other users of the user will likely > > be able to read your PHP files & get the password. > > > > > -Original Message- > > > From: Tyler Longren [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, July 18, 2002 23:10 PM > > > To: Sailom > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: [PHP] Password in script > > > > > > > > > It's fine. There's no other way to do it really. Somebody would have > > > to be able to see the source to the php file before they could see the > > > password for mysql. They won't get it just by viewing the webpage > > > that's already been parsed by php. > > > > > > -- > > > Tyler Longren > > > Captain Jack Communications > > > [EMAIL PROTECTED] > > > www.captainjack.com > > > > > > > > > > > > On Fri, 19 Jul 2002 10:03:02 +0700 > > > "Sailom" <[EMAIL PROTECTED]> wrote: > > > > > > > I am new to PHP and MySQL and never have experience in this area. I > > > > am writing a PHP script that connects to MySQL server. I have to put > > > > a password of MySQL into the PHP script. I think it may not be > > > > secured. What do you think? How can I make it more secure? Thanks. > > > > > > > > > > > > > > > > -- > > > > PHP General Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > -- n i n t i . c o m php-python-perl-mysql-postgresql Michael Hall [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password in script
Actually, there is Banother way and you should consider it. Sensitive information like passwords should be kept in a file stored outside the live web content directory (ie, outside DocumentRoot on Apache). This file can then be included in your main file. This way, you can be sure that a misconfigured Apache (accidentally or otherwise) will never send your php scripts out as plain text. This doesn't solve the problem of other users on the same system snooping around your filesystem, though. All the MySQL advice is good advice. Michael On Thu, 18 Jul 2002, Tyler Longren wrote: > It's fine. There's no other way to do it really. Somebody would have > to be able to see the source to the php file before they could see the > password for mysql. They won't get it just by viewing the webpage > that's already been parsed by php. > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password in script
Ok I am going to give out my little secret that was passed to me. Your
worry is warranted in my opinion especially since let's say your isp is in
the middle of an upgrade or something happens to php that breaks it.. Now
your php code is being shown as regular text.. Anybody can see your code.
There are a lot of things that could possibly go wrong.. Maybe an error
happens and it shows where you have the error and it shows your username and
password.. So many things.. So use an external file that is below your
htdocs/www/public_html directory. I usually use a directory called
phpinc/php_inc/php. Call it whatever you want :) and then put a file in it
called say.. query.inc
query.inc
Error in Query";
echo "Query: \"$query\"";
echo mysql_errno($connect).": ".mysql_error($connect)."";
exit;
}
}
?>
Include this file within any file that will be doing database queries. Then
whenever you want to make a call to the database use this syntax:
$result = queryDB("YOUR SQL QUERY HERE");
Plus it will show you where you are getting your mysql errors when you have
them. It's a great little function.. Thank you John Ash! :) Gotta give
credit where it's due :)
I hope it helps!
Cheers!
Rick
He who is devoid of the power to forgive is devoid of the power to love. -
Dr. Martin Luther King, Jr.
> From: "Sailom" <[EMAIL PROTECTED]>
> Date: Fri, 19 Jul 2002 11:33:59 +0700
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] Password in script
>
> I just checked grant and it said something like...
> GRANT USAGE ON *.* TO 'X'@'%' IDENTIFIED BY .
> Does this means user named 'X' can log in from any server? This may be
> a silly question.
>
>
> "Jonathan Rosenberg" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>> Yes, but if you're on a shared server, other users of the user will likely
>> be able to read your PHP files & get the password.
>>
>>> -Original Message-
>>> From: Tyler Longren [mailto:[EMAIL PROTECTED]]
>>> Sent: Thursday, July 18, 2002 23:10 PM
>>> To: Sailom
>>> Cc: [EMAIL PROTECTED]
>>> Subject: Re: [PHP] Password in script
>>>
>>>
>>> It's fine. There's no other way to do it really. Somebody would have
>>> to be able to see the source to the php file before they could see the
>>> password for mysql. They won't get it just by viewing the webpage
>>> that's already been parsed by php.
>>>
>>> --
>>> Tyler Longren
>>> Captain Jack Communications
>>> [EMAIL PROTECTED]
>>> www.captainjack.com
>>>
>>>
>>>
>>> On Fri, 19 Jul 2002 10:03:02 +0700
>>> "Sailom" <[EMAIL PROTECTED]> wrote:
>>>
>>>> I am new to PHP and MySQL and never have experience in this area. I
>>>> am writing a PHP script that connects to MySQL server. I have to put
>>>> a password of MySQL into the PHP script. I think it may not be
>>>> secured. What do you think? How can I make it more secure? Thanks.
>>>>
>>>>
>>>>
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password in script
I just checked grant and it said something like... GRANT USAGE ON *.* TO 'X'@'%' IDENTIFIED BY . Does this means user named 'X' can log in from any server? This may be a silly question. "Jonathan Rosenberg" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yes, but if you're on a shared server, other users of the user will likely > be able to read your PHP files & get the password. > > > -Original Message- > > From: Tyler Longren [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, July 18, 2002 23:10 PM > > To: Sailom > > Cc: [EMAIL PROTECTED] > > Subject: Re: [PHP] Password in script > > > > > > It's fine. There's no other way to do it really. Somebody would have > > to be able to see the source to the php file before they could see the > > password for mysql. They won't get it just by viewing the webpage > > that's already been parsed by php. > > > > -- > > Tyler Longren > > Captain Jack Communications > > [EMAIL PROTECTED] > > www.captainjack.com > > > > > > > > On Fri, 19 Jul 2002 10:03:02 +0700 > > "Sailom" <[EMAIL PROTECTED]> wrote: > > > > > I am new to PHP and MySQL and never have experience in this area. I > > > am writing a PHP script that connects to MySQL server. I have to put > > > a password of MySQL into the PHP script. I think it may not be > > > secured. What do you think? How can I make it more secure? Thanks. > > > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password in script
Yes, but if you're on a shared server, other users of the user will likely be able to read your PHP files & get the password. > -Original Message- > From: Tyler Longren [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 18, 2002 23:10 PM > To: Sailom > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Password in script > > > It's fine. There's no other way to do it really. Somebody would have > to be able to see the source to the php file before they could see the > password for mysql. They won't get it just by viewing the webpage > that's already been parsed by php. > > -- > Tyler Longren > Captain Jack Communications > [EMAIL PROTECTED] > www.captainjack.com > > > > On Fri, 19 Jul 2002 10:03:02 +0700 > "Sailom" <[EMAIL PROTECTED]> wrote: > > > I am new to PHP and MySQL and never have experience in this area. I > > am writing a PHP script that connects to MySQL server. I have to put > > a password of MySQL into the PHP script. I think it may not be > > secured. What do you think? How can I make it more secure? Thanks. > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password in script
Yes, good point Anas. Make sure that you have mysql set up right. Make sure the root mysql user has a password set and that people can't connect from "%". tyler On Thu, 18 Jul 2002 20:19:05 -0700 (PDT) Anas Mughal <[EMAIL PROTECTED]> wrote: > > Also, allow MySQL connections only from your server. > > Tyler Longren <[EMAIL PROTECTED]> wrote: It's fine. There's no > other way to do it really. Somebody would have > to be able to see the source to the php file before they could see the > password for mysql. They won't get it just by viewing the webpage > that's already been parsed by php. > > -- > Tyler Longren > Captain Jack Communications > [EMAIL PROTECTED] > www.captainjack.com > > > > On Fri, 19 Jul 2002 10:03:02 +0700 > "Sailom" wrote: > > > I am new to PHP and MySQL and never have experience in this area. I > > am writing a PHP script that connects to MySQL server. I have to put > > a password of MySQL into the PHP script. I think it may not be > > secured. What do you think? How can I make it more secure? Thanks. > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > - > Do You Yahoo!? > Yahoo! Autos - Get free new car price quotes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password in script
THANKS :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password in script
Also, allow MySQL connections only from your server. Tyler Longren <[EMAIL PROTECTED]> wrote: It's fine. There's no other way to do it really. Somebody would have to be able to see the source to the php file before they could see the password for mysql. They won't get it just by viewing the webpage that's already been parsed by php. -- Tyler Longren Captain Jack Communications [EMAIL PROTECTED] www.captainjack.com On Fri, 19 Jul 2002 10:03:02 +0700 "Sailom" wrote: > I am new to PHP and MySQL and never have experience in this area. I > am writing a PHP script that connects to MySQL server. I have to put > a password of MySQL into the PHP script. I think it may not be > secured. What do you think? How can I make it more secure? Thanks. > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php - Do You Yahoo!? Yahoo! Autos - Get free new car price quotes
Re: [PHP] Password in script
It's fine. There's no other way to do it really. Somebody would have to be able to see the source to the php file before they could see the password for mysql. They won't get it just by viewing the webpage that's already been parsed by php. -- Tyler Longren Captain Jack Communications [EMAIL PROTECTED] www.captainjack.com On Fri, 19 Jul 2002 10:03:02 +0700 "Sailom" <[EMAIL PROTECTED]> wrote: > I am new to PHP and MySQL and never have experience in this area. I > am writing a PHP script that connects to MySQL server. I have to put > a password of MySQL into the PHP script. I think it may not be > secured. What do you think? How can I make it more secure? Thanks. > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
