-2

I use the following PHP code to connect to MySQL.

$link = mysql_connect('127.0.0.1', 'root', '123456') or die("wrong user pass mysql");
mysql_select_db('database', $link);

This code is placed in a connection file called connection.php which is included in all PHP scripts that require access to database.

If a hacker gets the URL of connect.php (http://www.example.com/connection.php), is it possible to hack my database? How can I ensure that the PHP connection code does not help the hacker? Or which is the best secure way of connecting to the database?

halfer
  • 19,824
  • 17
  • 99
  • 186
Y_Less
  • 7
  • If you're worried about someone getting access to that file, why not store it outside the webroot? Otherwise - if it's got a PHP extension, it's going to be run by the server before it's sent to the user, so none of your code should be visible, unless your server configuration breaks. – andrewsi Apr 12 '15 at 18:15
  • Use the code in the dupe and move all your files outside of the docroot like @andrewsi said – PeeHaa Apr 12 '15 at 18:51
  • Locally hosted databases are secure(Ish) over database connections over tcp/ip, as the cracker will need physical access to said database server, by all means you can store database credentials outside your webroot which would make it harder to obtain the password, but if someone 'hacks' into your server. Passwords are the least of your concerns – Daryl Gill Apr 12 '15 at 18:52

1 Answers1

0

to start you should know about how php work : when the browser send request to server , apahce server (or whatever server use for php server) handle the request and compile php page that browser request . php server make an html(+js+css) for view results. therefore php code can not be seen by the client.

and about hack : use PDO for connect to data base . it's best way to connect mysql database . PDO-PHP manual

mohammad amin
  • 78
  • 10