Results 1 to 13 of 13
  1. #1
    Join Date
    Dec 2003
    Posts
    61

    Unanswered: php and mysql simple question

    I'm worried...
    Lost of my php pages include this sort of line:

    $db = mysql_connect("localhost", "root", "password");


    That means that users that logon to my website have the username and password!

    Is there a way around this?

    Thanks
    Noam

  2. #2
    Join Date
    Dec 2003
    Posts
    6
    put
    $db = mysql_connect("localhost", "root", "password");
    in a new file and name it auth.php then in all your pages replace
    $db = mysql_connect("localhost", "root", "password");
    with:
    require('auth.php');

  3. #3
    Join Date
    Dec 2003
    Posts
    61
    Originally posted by dhoyos
    put
    $db = mysql_connect("localhost", "root", "password");
    in a new file and name it auth.php then in all your pages replace
    $db = mysql_connect("localhost", "root", "password");
    with:
    require('auth.php');


    So what would stop people from viewing auth.php code???

  4. #4
    Join Date
    Dec 2003
    Posts
    6
    You would put auth.php outside of the public_html (www) folder. That way no one would be able to access it. just make sure you link to it correctly in the require statement. Hope that helps.

  5. #5
    Join Date
    Dec 2003
    Posts
    61
    oh so it grabs a file that's only accessible internally and not from the www
    like fro example:
    if my website is in
    d:\wwwroot\

    I can put the file directly in d:\

    Brilliant!!!!!!!!

  6. #6
    Join Date
    Dec 2003
    Posts
    31
    If you have php tags around it, then no one will be able to view it unless php fails. But what he said is the best way to fix this!

  7. #7
    Join Date
    Mar 2004
    Posts
    2

    PHP Protection

    I'm very interested in this ability to conceal ones php/root password.
    Sorry to sound naive.. but how do I link from the root "/" to the page in question?

    Eg: The page is in www.mysite.com/php-testing/temp.php
    and within the page is the line: require('auth.php');
    but in order for that to work "auth.php" would need to be in www.mysite.com/php-testing/
    when I want auth.php to be in "/" out of the public_html folder (/www)

    now I've tried:
    require('/auth.php');
    require('/home3/username/auth.php');
    Etc..

    and I keep on receiving the same error

    Warning: main(/auth.php): failed to open stream: No such file or directory in /home3/username/public_html/php-testing/temp.php on line 4

    Fatal error: main(): Failed opening required '/auth.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home3/username/public_html/php-testing/temp.php on line 4

    I would Appreciate any help anyone could offer
    Last edited by Quisk; 03-15-04 at 07:48.

  8. #8
    Join Date
    Mar 2004
    Posts
    17
    really, can you do that?

    if your main file is located in th public root folder:
    eg.(/usr/local/http/htdocs/main.php)

    and you want your database function outside this folder:
    eg.(/usr/local/http/db_fns.php)

    can you simply include this in main.php
    eg.(require ("../db_fns.php")

    in that case, how secure is that?
    Last edited by Deviruchi; 03-22-04 at 01:08.

  9. #9
    Join Date
    Dec 2003
    Posts
    61
    yeah, i opened this subject a long while ago and been using this "trick" for a while now.

    i'm running on win2k server all this stuff with apache.
    "d:\backup files\website files\" is my wwwroot.
    i put the auth.php file in d:\

    That means that if my php failed one day for some reason, my usernames and passwords would show up in clear text. all you'd see is "require d:\auth.php .... etc"

    I'm pretty happy with that. Unfortunatly, if i ever migrate to a real webhost server (not my home) i'd have a hell of a time implementing it. I'd have to ask the webhost company to put that auth file outside my wwwroot and ask them for the directory localtion.
    I wonder if they do that or will just tell me "no way!"

    Either way, i've been learning more and more about this MYSQL and PHP and i think that if someone did infact get your password to your database, they can't do much with it really. You'd have to have a security hole in your code, or have port 3306 (MYSQL port) open to the net which is silly if you ask me.
    When i need direct access to 3306, i tunnel it using ssh.
    Noam

  10. #10
    Join Date
    Mar 2004
    Location
    INDIA
    Posts
    2

    Unhappy php-mysql querries executed but datas are not shown in the corresponding table

    kindly answer to this question.and help me out as i am in big trouble

    i have used the following code for inserting enties into my database
    but though no error is coming but no values are being inserted into
    corresponding table what can be the reasons



    plz plz help

    <html><head><title>nit-jalandhar</title></head>

    <?php # student1.php

    // validating the fields
    if(isset($_POST['submit'])){

    // handle the form
    if(empty($_POST['name']))
    {
    $n=FALSE;
    $message='<p>you forget to enter your name !</p>';
    }
    else
    {
    $n=$_POST['name'];
    }

    if(empty($_POST['branch']))
    {
    $b=FALSE;
    $message='<p>you forget to enter your branch !</p>';
    }
    else
    {
    $b=$_POST['branch'];
    }
    if(empty($_POST['fathername']))
    {
    $fn=FALSE;
    $message='<p>you forget to enter your father name !</p>';
    }
    else
    {
    $fn=$_POST['fathername'];
    }

    if(empty($_POST['batch']))
    {
    $bt=FALSE;
    $message='<p>you forget to enter your batch !</p>';
    }
    else
    {
    $bt=$_POST['batch'];
    }




    if(empty($_POST['regnumber']))
    {
    $rn=FALSE;
    $message='<p>you forget to enter your batch !</p>';
    }
    else
    {
    $rn=$_POST[' regnumber'];
    }

    }

    if($n && $b && $fn && $bt && $rn)
    {
    connecting to mysql server

    mysql_connect("localhost","","");
    mysql_select_db("institute" );
    make the querry
    $querry="INSERT INTO students(name,branch,fathername,batch,regnumber)
    VALUES('$n','$b','$fn','$bt',$rn')" or die("".mysql_error());

    $result= mysql_querry($querry)or die("".mysql_error());// RUN THE QUERRY
    if ($result)
    {
    echo'<p> your entry has been registered!</p>';

    }
    else
    {
    echo'<p> your entry has not been registered!</p>';
    }

    }

    if (isset($message))
    {
    echo'<font color="red">',$message,'</font>';
    }

    ?>

    <form action="<? echo $_server['PHP_SELF']; ?>" method="post">

    <p><b>NAME:</b><input type="text" name="name" size="30" value="<?php if(isset($_POST['name'])) echo $_post['name']; ?>" /> </p>

    <p><b>BRANCH:</b><input type="text" name="branch" size="30" value="<?php if(isset($_POST['branch'])) echo $_post['branch']; ?>" /> </p>

    <p><b>FATHER NAME:</b><input type="text" name="fathername" size="30" value="<?php if(isset($_POST['fathername'])) echo $_post['fathername']; ?>" /> </p>

    <p><b>BATCH:</b><input type="text" name="batch" size="30" value="<?php if(isset($_POST['batch'])) echo $_post['batch']; ?>" /> </p>

    <p><b>REGISTRATION NUMBER:</b><input type="text" name="regnumber" size="30" value="<?php if(isset($_POST['regnumber'])) echo $_post['regnumber']; ?>" /> </p>

    <div align="center"> <input type="submit" name="submit" value= "Register" /> </div>

    </body>
    </html>

  11. #11
    Join Date
    Dec 2003
    Posts
    61
    i'm no expert but i just look at the mistakes i always make

    look closely at:

    $querry="INSERT INTO students(name,branch,fathername,batch,regnumber)
    VALUES('$n','$b','$fn','$bt',$rn')" or die("".mysql_error());


    see? I make this mistake ALL THE TIME!!!

    $rn is not enclosed by ' properly.
    oooops huh?

    I realy hope this was the proble, - that would make it easy
    Noam

  12. #12
    Join Date
    Mar 2004
    Location
    INDIA
    Posts
    2

    Unhappy thanks but that is not enough

    respected noamkrief sir
    thanks that you have analysed the code but it still not working

    is it possible that querries are executed but no rows or columns are
    affected? if yes what can be the reasons?

  13. #13
    Join Date
    Dec 2003
    Posts
    61
    oh that's too bad. That missing ' looked like it would definatly be a big problem.
    I'm no expert at MYSQL and PHP yet.
    what i would do is backup that code to a disk, and simplify it.

    Right before this code do:
    echo "".$n....... etc.....
    $querry="INSERT INTO students(name,branch,fathername,batch,regnumber)
    VALUES('$n','$b','$fn','$bt','$rn')"


    or echo the entire SQL statement:

    echo ("$querry=INSERT INTO students(name,branch,fathername,batch,regnumber)
    VALUES('$n','$b','$fn','$bt',$rn')";

    and then see if it looks right.

    also try manually adding your real numbers or letters to your variables and see if you get anything....

    $querry="INSERT INTO students(name,branch,fathername,batch,regnumber)
    VALUES('hello,'1','2','3','goodbye')"


    Get rid of everything else and see if the above statement works at least.
    also try putting the sql query all in one line.... No "enter" in the middle...
    $querry="INSERT INTO student(name,branch,fathername,batch,regnumber)
    VALUES('$n','$b','$fn','$bt',$rn')"

    I wish i can help more
    Noam

    <form action="<? echo $_server['PHP_SELF']; ?>" method="post">
    look at the above line.... Do you need php after the "?"

    <form action="<?php echo $_server['PHP_SELF']; ?>" method="post">
    Last edited by noamkrief; 03-23-04 at 04:09.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •