Safe enable database login variables
when i connect to my database i have a include('connect.php')
document to connect. Now I want to make this a little more secure. Is it possible to check that the one that wants to include connect.php
is from my domain. How:
if($_SERVER["HTTP_REFERER"] == "mydomain.com"){
$link = mysql_connect("localhost","user","password");
mysql_select_db("dbname");
}
And if possible, how to check what $_SERVER["HTTP_REFERER"] == mydomain.com
, when $_SERVER["HTTP_REFERER"]
can return mydomain.com/page.php
?
source to share
This is not a problem to be solved in PHP. If someone can include the file that way, the server's security is already messy. It is the web server's job to prevent the use of raw PHP files and work with OS security and user preferences to prevent unauthorized users / processes from including files. If someone gets enough access to the file to be able to include it, they have enough access to just read it, in which case no security measures you put in the file will be implemented.
In short: don't worry about it. :)
EDIT:
Something like that:
RewriteEngine On
RewriteRule ^connect.php /index.php [R]
This may change with your difficulties, check out the many questions on this topic.
source to share
It seems to me that you are doing it backwards.
An easier way to protect yours connect.php
is to move it up one folder (outside the website root) and use it include('../connect.php')
instead include('connect.php')
. Do this and you are safe (relatively connect.php
, at least).
HTTP_REFERER has nothing to do with security. Checking for this will result in the visitor receiving Database connection error
instead of the requested page if the check fails. It will fail every time:
- someone comes to your site from a link on another site (including Google and co.).
- someone comes to your site by clicking on a browser bookmark
- someone comes to your site by typing the address directly into the address bar
Somehow I don't believe this is what you might need.
source to share