Protecting database password in a PHP file?

Question

I have a php file which retrieves some important data from my database, for now if anybody access the php file via URL, it directly displays the data which i don't want to happen. Is it possible create a password input box which will prompt for the database password and assign its value to $password variable (see the code below) , so that only if the user inputs the correct password, only then the file will interact with the database?

UPDATE TO THE EXAMPLE CODE :

<?php
$con=mysqli_connect("example.com","peter","abc123","my_db");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT * FROM Persons");

while($row = mysqli_fetch_array($result)) {
echo $row['FirstName'] . " " . $row['LastName'];
echo "<br>";
}

mysqli_close($con);
?>`

When this php file is accessed via a browser, it displays :

Peter Parker
Glenn Forbes

I don't want people to see the output directly! I want them to first input the password, so that php file interacts with the database and displays the output!

Hope you people got me this time!

How will a PHP file with the contents you have actually DISPLAY anything at all? Do you have some funny extension on it? If your server is configured to run all .php files as php, make sure to call this a .php - the user will see NOTHING. If you call it something funny like .inc and include it, the server won't know to run it as PHP and simply display it as text. — Fluffeh, Jun 02 '14 at 12:36
this sounds like your server does not parse PHP files or has PHP disabled... — M.S., Jun 02 '14 at 12:37
after the php is interpreted, no they wont see it in the browser console — user1978142, Jun 02 '14 at 12:37
so, you want to prevent someone with file access (not web access) to the .php file from reading the password in the file? — M.S., Jun 02 '14 at 12:38
I KNOW THEY WONT SEE THE PASSWORD, I JUST DON'T WANT THEM TO SEE THE CONTENTS WHICH THE FILE RETRIEVES FROM THE MySQL database!!! (the above code was just an example) — saibbyweb, Jun 02 '14 at 12:40
It sounds like you don't have PHP set to parse that file? Make a new file `info.php` or some other name if you wish. Inside that write `` and tell us what you see when you access that page..? — l0gic, Jun 02 '14 at 12:41
Alright! people i updated my question..hope you'll understand it now! — saibbyweb, Jun 02 '14 at 12:47
I know exactly what you want to do. Personally, I don't think it's a good idea to give out your database password, because that way they will have access to your entire data. You're best to either create a login system, or use `.htaccess` — Funk Forty Niner, Jun 02 '14 at 12:49
i have to give the database password to other admins of my website.. — saibbyweb, Jun 02 '14 at 12:50
Then you're best creating a login system and use a WHERE clause. Even your best friend will backstab you; believe me. — Funk Forty Niner, Jun 02 '14 at 12:51
You can create users in SQL with a granted access. But that area I'm not well-versed in. — Funk Forty Niner, Jun 02 '14 at 12:53
You could configure individual users within the `mysql.user` table in the database and provide them with that username/password - then use Apache Basic Auth with mod-auth-mysql to manage the log ins - this is, I believe, one way PHPMyAdmin can be configured to work. — CD001, Jun 02 '14 at 12:54
Here is some documentation on it http://dev.mysql.com/doc/refman/5.1/en/create-user.html — Funk Forty Niner, Jun 02 '14 at 12:58
possible duplicate of [How to secure database passwords in PHP?](http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php) — Marcus Adams, Jun 02 '14 at 13:00
I don't know why you chose the [answer below](http://stackoverflow.com/a/23995150/), that is so insecure and in so many ways. I hope you know what you're doing and how to make it work so you won't get hacked. Good luck with that. — Funk Forty Niner, Jun 02 '14 at 13:05

score 2 · Accepted Answer · answered Jun 02 '14 at 13:09

If I were you (and if I'm understanding your problem correctly) I would use an htaccess file. Basically, you will create two files in the directory you want to protect. The first, you will name .htaccess. That's all you need in the file name. Open the file in an editing program (e.g: Notepad++) and insert the following code:

    AuthType Basic  
    AuthName "restricted area"  
    AuthUserFile "the/path/to/the/directory/you/are/in/.htpasswd" 
    require valid-user

The .htpasswd you see is the file name of the second file you will create. Create that file (with the name .htpasswd), and open it to edit it. In that file, type in the username of the person who is to enter the directory.

    JohnDoe

Followed by a colon.

    JohnDoe:

Now, go to a website like http://www.htaccesstools.com/htpasswd-generator/ and type in the Username (just put in "test") and password you want in the fields provided. Submit the information.

After you do that, it will pop up with a formatted line of information. Copy the mess of letters after the colon and paste them after the colon in your .htpasswd file. Save your work.

    JohnDoe:$apr1$eBsB98Mg$93ckYxSmT5BBfPqOS5a/6.

Now that you have done all that, when someone goes to the directory on your website, they will be prompted to give the username and password. If they know it, it will let them in, and then display what is in your PHP file (you will need to make sure the file is named index.php.

I hope that helps!

score 1 · Answer 2 · answered Jun 02 '14 at 12:59

There are many ways...

<?php
if($_GET['token'] != 'a1a2a3a4a5') {
    die('Wrong request!');
}
$con=mysqli_connect("example.com","peter","abc123","my_db");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT * FROM Persons");

while($row = mysqli_fetch_array($result)) {
echo $row['FirstName'] . " " . $row['LastName'];
echo "<br>";
}

mysqli_close($con);
?>

Then access your page from:

http://www.example.com/readdata.php?token=a1a2a3a4a5

score 0 · Answer 3 · answered Jun 02 '14 at 12:39

Apache (or any other server) will execute files based on the file extension it sees and that it has been told what to do with. If that isn't told specifically, it will display it simply as text.

If your server is running PHP files fine, you can include any filename you like - that includes the extension and PHP will assume it is simply PHP. If you try to get tricky however and call it a .php5 or a .include and you haven't set up your server to run these file types as PHP, it will be output to the user as simply text.

Set up the file types properly on your server or call them all by the default extension.

Based on the code you provided:

<?php
$host = "localhost";
$db_name = "NAME_OF_THE_DATABASE";
$username = "root";
$password = "PASSWORD_OF_THE_DATABASE";
?>

A user entering this exact URL will see a grand total of NOTHING. That is because when the file is being executed as PHP, it simply assigns the variables values - it doesn't ever display them.

If the file isn't associated as a PHP executable file, your server will send the contents to the user as they are - showing all your code as you wrote it.

score 0 · Answer 4 · answered Jun 02 '14 at 12:42

From your question what i understood is you don't want any body to see the password, so i think
you can encrypt you php code and still run it on the server

user the following tools

you can definitely hide/encode/encrypt the php source code and 'others' can install it on their machine. You could use the below tools to achieve the same.

Louise · Answer 5 · 2014-06-02T13:18:49.670

You should not see the code in the screen unless your file add .php, check extension. I suggest you separate database detail in a new php file, and move it in up level directory

HTML CODE:

<form action="{your url}">
  Please enter you password:<input name="password" type="password" />
  <input type="submit" value="Submit" />
</form>

PHP code:

$password=$_GET['password'];
if($password=="1234"){

echo 'correct password';

//and add your code here

}

Protecting database password in a PHP file?

5 Answers5