Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialjuras
7,778 PointsWhat's considered a 'safe protocol' for accessing a database on the Web?
So I have been playing with my own 'test-drive' database on the localhost. But it is time to move onto the real deal.. Is there any 'safe' protocols to access/connect to it from the website? database administrator has a test-user account setup for me already, but I am more concerned with precautions that I should be making. I am using PHP
2 Answers
Codin - Codesmite
8,600 PointsSource code to PHP scripts are not visible to people inspecting your source code, so in general DB passwords are fairly secure in PHP, unless there is errors thrown from the file containing the information then there is a chance it will be printed in the error or accessible.
Although this article has a very good explination on storing your passwords outside of the root folder and is roughly the way I do it myself (give or take a few changes depending on how the server is configured):
https://www.binpress.com/tutorial/using-php-with-mysql-the-right-way/17 (Also has a guide on doing the following in OOPHP)
Example:
The root of my webserver is "/localhost/public_html/" I create a folder lets say for example "/localhost/private/" This location is not accesible to others externally as it does not have url being one level above the root folder.
I place a config.ini at "/localhost/private/config.ini"
The config.ini contains the database login credentials:
[database]
servername = localhost
username = admin
password = password
dbname = db_main
I then create a php function within the root lets say for example at "/localhost/public_html/includes/dbconnect.php"
Contents of dbconnect.php:
<?php
function db_connect() {
// Define connection as a static variable, to avoid connecting more than once
static $connection;
// Try and connect to the database, if a connection has not been established yet
if(!isset($connection)) {
// Load configuration as an array. Use the actual location of your configuration file
$config = parse_ini_file('../private/config.ini');
$connection = mysqli_connect($config['servername'],$config['username'],$config['password'],$config['dbname']);
}
// If connection was not successful, handle the error
if($connection === false) {
// Handle error - notify administrator, log to a file, show an error screen, etc.
return mysqli_connect_error();
}
return $connection;
}
// Connect to the database
$connection = db_connect();
// Check connection
if ($connection->connect_error) {
die("Connection failed: " . $connection->connect_error);
}
?>
As you can see I parse the values of config .ini file into an array $config from the server location "../private/config.ini" which is a location that can only be accessed by the localhost and cant be scoped out via a URL.
Whenever I want to connect to the database I just include the dbconnect.php file that contains the function,
<?php
require_once('./includes/dbconnect.php');
?>
and for queries I call the variable $connection from the dbconnect() function, for example:
<?php
$sql = "SELECT id, title, stitle, date, section, content FROM articles";
$result = $connection->query($sql);
?>
By doing all this my database login credentials are located outside the scope of the websites root, and if you were to get an SQL or PHP error it will only display the variable names and not the values holding the login credentials.
Hope this helps you work it out (it's pretty confusing and took me a while to get my head around at first) if you need any more help let me know :)
juras
7,778 PointsThat looks helpful) Thank you very much!!