0

I am new to php/sql, please forgive what must be a very basic question.

I created a simple php form and have it send the data to a 2nd php page which then inputs the form data into a sql DB.

I have it working 100%, but a question comes up now that I have done so.

In my forms target php file it uses the baic connection method

mysql_connect('host', 'user', 'pass');

all fine and good, BUT a person can simply view the source code of this second file and see the database user/pass.. is this not a security risk?

4
Contributors
11
Replies
12
Views
7 Years
Discussion Span
Last Post by macross
0

your php code is not visible in the source of a page. only your output from a php file is visible in the source. now, if someone had access to your files themselves, through a command line, or FTP or something like that, they could read the file, and see that type information.

0

let me show you the code and try to clarify

I have a php page called test01.php

I access it via http://www.mydomain.com/test01.php

If I view the source code I see

<form action="process.php" method="post">
Your Name: <input type="text" name="name"><br>
E-mail: <input type="text" name = "email"><br>
Location: <input type="text" name = "location"><br>
<input type="submit" value="Submit">
</form>

If I simply make a quick webage in notepad that has

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<a href="process.php">link </a>
</body>
</html>

open it in a browser and right click save the linka nd I get a download of the process page which has the raw user/pass in it

0

May be You Create Your File in Earlear version of PHP That's Not Support Your Server.
I Suggest You That Please Reload Your OS or Paste Your PHP File code There.
If Your PHP File contain any Error It's Not Run.
and Also go to Your CPanel and Check it Support PHP or witch Version PHP is Installed on Your Server.
Thank You.

0

As I mentioned, I am pretty new to php, so I am sure this is some basic thing I am just to new to understand.. basic concept.. something

As I mentioned above; I load http://www.mydomain.com/test01.php, this shows up the form and when I submit the form it does indeed go into the database. I am thinking I need to do something where the person calls up a basic html page that calls up the php with the form so that the person never gets to see the php page name called by the form and in turn can't simply download the process the page.... like I said.. this is probably some php 101 thing I have missed.

PHP server version 5.2.9

2 pages

1st page "test01.php"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form action="process.php" method="post">
Your Name: <input type="text" name="name"><br>
E-mail: <input type="text" name = "email"><br>
Location: <input type="text" name = "location"><br>
<input type="submit" value="Submit">
</form> 
</body>
</html>

2nd page (actual username and password removed)
"process.php"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<?
$name=$_POST['name'];
$email=$_POST['email'];
$location=$_POST['location'];
mysql_connect("localhost", "[I]username[/I]", "[I]password[/I]") or die(mysql_error());
mysql_select_db("fuzzygno_sampledb") or die(mysql_error());
mysql_query("INSERT INTO `data` VALUES ('$name', '$email', '$location')");
Print "Your information has been successfully added to the database.";
?> 
</body>
</html>

Edited by macross: n/a

0

It's difficult to know your setup, so I'm only guessing, but one possibility is that your server doesn't accept short tags.

I notice that in process.php, after <body> you open your PHP code with <?

Try using <?php instead.

You need to get it such that if someone browses to http://yoursite/process.php, the code does NOT show up. If it's not fixed by my suggestion, I suspect it's a server setting somewhere.

0

Let me clarify
If someone browses to http://yoursite/process.php they don't get a page that shows the raw info, that is fine.

The problem is that by creating a generic html document with a link to my process.php page, they can simply right click the link they made and "save target as" to get a local copy of my raw process.php which of course has the user/pass in it.

0

yea, I think using <?php instead of just <? to open php tags may help.

You should check the mime types that your server is using. I think you need to be sure php files are set up as application/x-httpd-php. You can do this in your mime.types file in apache, or an .htaccess file.

0


You need to get it such that if someone browses to http://yoursite/process.php, the code does NOT show up. If it's not fixed by my suggestion, I suspect it's a server setting somewhere.

If I surf to http://yoursite/process.php the page that loads is fine, you can't see the server/user/pass in it.

The problem is if I create a link to http://yoursite/process.php in a seperate html doc, I can right click the link and "save target" and it saves a local copy of the page that does have the server/user/pass

For the sake of argument I did change it to <?php , no difference.

Also the server I am testing on is hosted by bluehost.com

Edited by macross: spelling

0

I am sorry to have waisted all your time, I figured out the issue and the problem was that I am just a dumb ass.

Sorry again.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.