Hey guys

im noob using php/mySQL, and got following question:

In the tutorial-examples of database communication, i often see that you must set your databse info...in your php file.. I wondered if other people can download/view those php files?...and that way get your db login data?...

Anyone got a tip how to protect those info?

if other people can download/view those php files

Just curious... :) How do you do that??? Is there any tool that can do that???

The only way that could happen is if someone gets access to your server. Or if your web server is comprised and fails to parse php files. In which case they would be displayed as plain text in the browser. The truth of the matter is you should be keeping that sensitive information in a include file living physically outside the web root. So if your web server does fail, noone can get the file. The only other thing is if someone hacks your machine, and gets access. But at that point you have much worse problems than a mysql password.

indeed, freddycodes speaks the wisdom...if someone gets shell or ftp access then you're out of luck...

one quick thing - make sure your include files don't end with the extension ".inc" or ".lib", as most configurations won't map that to the php parser - always name your php files with ".php"

..just my $.02

as most configurations won't map that to the php parser
Uh... What do you mean???
Are you saying this???
If I type http://www.domain.com/someinclude.inc the server will let you download the file???

exactly, it will show up as plain text... :( this is because the php parser isn't instructed by the server to parse .inc files by default. So if you have a file called "config.inc" like this:


<?
$config['username'] = "myusername";
$config['password'] = "mysupersecretpassword";
?>


...the server doesn't know to run the file through the php parser, so will just display it as plain text.

Gotcha... So, basically do what freddycodes said to avoid it...

you should be keeping that sensitive information in a include file living physically outside the web root.

Thanks alot... :)

no problem! ;) if you *can* do what freddycodes said (sometimes you will be in a server environment where that may not be allowed) then definitely try and keep config files out of the document root. even then, you want to try and always make sure that anything you want to use in a php app has a php extension :)

Good point destr3.

Something I left out have but seen many do. In fact if you want to distinguish them from regular files, at least go with a filename.inc.php