Do I need to worry about the password in mysql_connect in php?

When writing the database connection code, is it not open for everyone to see my database username and password? Could they connect and modify my database? It's just weird to print username and password and not encrypt.

mysql_connect(localhost, user1, correcthorsebatterystaple)


I know the source is not viewable when I right click on the view source. But if someone created a quick html page with ahref = then they right click and upload so they can view my PHP code along with my username and passowrd, right?


source to share

3 answers

PHP runs on the server and outputs HTML to the client. This way the client will never be able to view the PHP source. This way you don't need to worry about the security of passwords in these files.



The server sees all requests (so even this ahref

one in your example) to the file as the one requesting the php file.

Your server will ask PHP to parse the file first, and if configured correctly, will never show the code in any way.

Someone with direct (ssh, for example) access to your server or your code (ftp, github, etc.) will be able to read your code and your password. Avoid this at all costs.

You can put whatever you need to be careful outside of your www-root directory (e.g. / var / www). Even if something is wrong, the changes that will be read in your config will be less if they are in a separate place. Use include to include it. This will "work" if the file is parsed, so if it is NOT parsed, you will not include it, so it will not be displayed



If the user were to download your connect_file.php file directly to the browser, they will receive a PHP file that will render as HTML, which is probably empty. Hitting save-as will save a local copy of the blank HTML page. Since PHP is displayed on the server and then sent to the user's browser, they only see the results, not the source.

If you are still concerned about this, you can always keep connect_file.php out of the internet and include it from another file. In case the PHP process crashed, or the PHP code was somehow processed, it would even further prevent someone from viewing your PHP code containing the password.



All Articles