• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Help me understand PHP permission

G

gregulator

Senior member
So for interaction between PHP and MySQL, you typically put your DB password in the file. So how is this best protected? I know when a browser requests the page, the server executes the code and serves up the result, but is there any way a user can get a copy of the source? Should permissions be execute-only, or read-only for "other"? Would read-only mean they could ever download the source? Thanks!
 
PHP files are not readable by the public. You have to change the extension to something else if you want the public to be able to see the source. You will be fine to have test.php be something like:
<?php
$db_pw = 'password';
?>

And if anyone looked at the test.php file from the HTTP it would just be a blank file, you don't need to change any permissions.
 
what reverend said.

also, its a good practice to put dbconnect files in an include file thats outside of the www directory
 
Originally posted by: reverend boltron
PHP files are not readable by the public. You have to change the extension to something else if you want the public to be able to see the source. You will be fine to have test.php be something like:
<?php
$db_pw = 'password';
?>

And if anyone looked at the test.php file from the HTTP it would just be a blank file, you don't need to change any permissions.
Click to expand...

There are a couple of issues with this. It will NOT protect you if/when there is a server misconfiguration (stops rendering php files). It also makes it easier for someone who has exploited your site via SQL injection or cross-site scripting to get a hold of your database credentials. Of course, a well written site should stop most of this... but that's a whole different topic.

I don't know off-hand the best way to secure that information, but I'm fairly positive doing nothing is a bad idea 🙂
 
Troytime is correct..

use seperate files for any php code that contains credentials, load them using includes, and have them in a seperate directory so if the web server breaks your php files are not viewable/servable.
 
Originally posted by: reverend boltron
Dravic, that was both useful and stated humbly. Good show!
Click to expand...

just checking, because my social skills aren't very good...was I not humble or clear when i said it?

(seriously, i'm not digging here or anything...i'm trying to improve my communication skills)
 
Originally posted by: troytime
Originally posted by: reverend boltron
Dravic, that was both useful and stated humbly. Good show!
Click to expand...

just checking, because my social skills aren't very good...was I not humble or clear when i said it?

(seriously, i'm not digging here or anything...i'm trying to improve my communication skills)
Click to expand...
Nah, you're fine. Clear and succinct. Good advice by all who recommend an include stored outside the web root. :thumbsup:
 
Originally posted by: NiKeFiDO
Originally posted by: Hyperblaze
I personally would define it in as a class variable, but i'm a OO PHP developer
Click to expand...

where's the added security in that?
Click to expand...

and there's no difference between an OO developer and a "regular" php developer
there are times to use OO, and times to not
 
On top of all the good advice here you should also use accounts that are restricted to have only the access required for the script. There is no reason to have drop / create support on a page that only views a single table.
 
Originally posted by: NiKeFiDO
Originally posted by: Hyperblaze
I personally would define it in as a class variable, but i'm a OO PHP developer
Click to expand...

where's the added security in that?
Click to expand...

private static $password = 'hello';

you won't be seeing that anywhere....

and yes, the classes folder is outside the web root
 
Originally posted by: troytime
Originally posted by: NiKeFiDO
Originally posted by: Hyperblaze
I personally would define it in as a class variable, but i'm a OO PHP developer
Click to expand...

where's the added security in that?
Click to expand...

and there's no difference between an OO developer and a "regular" php developer
there are times to use OO, and times to not
Click to expand...

i try to use OO as much as possible.

I tend to use one include at the top of every php page (a config file) which autoloads any classes which I need.

And there is a HUGE difference in OO development compared to a non-OO php development as you call it. It's call clean and efficient code.

On a high scalable project, you show me code that's clean and efficient using non-OO code practice and I'll show you ways to make it more efficient (and clean).


ps: I'm not talking about a simple php script or page, I'm talking about a serious php web application

 
Originally posted by: Hyperblaze
Originally posted by: troytime
Originally posted by: NiKeFiDO
Originally posted by: Hyperblaze
I personally would define it in as a class variable, but i'm a OO PHP developer
Click to expand...

where's the added security in that?
Click to expand...

and there's no difference between an OO developer and a "regular" php developer
there are times to use OO, and times to not
Click to expand...

i try to use OO as much as possible.

I tend to use one include at the top of every php page (a config file) which autoloads any classes which I need.

And there is a HUGE difference in OO development compared to a non-OO php development as you call it. It's call clean and efficient code.

On a high scalable project, you show me code that's clean and efficient using non-OO code practice and I'll show you ways to make it more efficient (and clean).


ps: I'm not talking about a simple php script or page, I'm talking about a serious php web application
Click to expand...

i like using OO too

but i'm not going to waste my time pissin in your cheerios

go to php tek this week and make your claims that there's a a huge difference

clean is an opinion
efficient is a dependant on a lot of things, making some OO doesn't make the code more efficient unless that code is being used in more than one location
 
Originally posted by: troytime
Originally posted by: Hyperblaze
Originally posted by: troytime
Originally posted by: NiKeFiDO
Originally posted by: Hyperblaze
I personally would define it in as a class variable, but i'm a OO PHP developer
Click to expand...

where's the added security in that?
Click to expand...

and there's no difference between an OO developer and a "regular" php developer
there are times to use OO, and times to not
Click to expand...

i try to use OO as much as possible.

I tend to use one include at the top of every php page (a config file) which autoloads any classes which I need.

And there is a HUGE difference in OO development compared to a non-OO php development as you call it. It's call clean and efficient code.

On a high scalable project, you show me code that's clean and efficient using non-OO code practice and I'll show you ways to make it more efficient (and clean).


ps: I'm not talking about a simple php script or page, I'm talking about a serious php web application
Click to expand...

i like using OO too

but i'm not going to waste my time pissin in your cheerios

go to php tek this week and make your claims that there's a a huge difference

clean is an opinion
efficient is a dependant on a lot of things, making some OO doesn't make the code more efficient unless that code is being used in more than one location
Click to expand...

i'm not going to "waste my time" to make a claim like that on php tek.

i understand the different in code flow and structure between OO PHP and embed php, as well as procedural php. I used to love procedural PHP until I came to understand the effectiveness of classes.

Your right, clean is an opinion. Same as efficient. In my opinion, clean and efficient stands for making the application flow as smooth as possible, using the least lines of possible.

From my experience, I can achieve that the most through the use of OO PHP. Embedded or procedural PHP is just so damn congested.

You are absolutely right about your last statement. Making some code OO doesn't make the code more efficient, since I've seen downright horrible code in the OO method. It all comes down to the developer. How they think and how they structure things.

I admit that when it comes to code, I tend to have an ego which does get the better of me at times. I've just seen too much code out there which I couldn't believe was actually coded (it was pretty nasty).

Everyone can write a program. Not everyone can code efficiently.

(Note: i'm not the best, but I'm definitely not the worst either)
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top