0

I am at learning stage of PHP. I am using a php file to process form data for sql table and it has server name, user, password and dbname to perform sql-connect query. And of course it is in public directory of website. Is it a safe way or any suggestion is appreciated. example is as follow:

$name = $_POST['name'];
$phn = $_POST['phn'] ;

$servername = "localhost";
$username = "abc";
$password = "abc";
$dbname = "abc";

// Create connection
$conn = mysqli($servername, $username, $password, $dbname);
GROVER.
  • 4,071
  • 2
  • 19
  • 66
Saurabh Bana
  • 9
  • 1
  • 2
    Possible duplicate of [Where to safely store database credentials within a PHP website](http://stackoverflow.com/questions/32513480/where-to-safely-store-database-credentials-within-a-php-website) – Gurwinder Singh Dec 25 '16 at 09:31
  • Another one -- http://stackoverflow.com/questions/5882882/where-to-store-database-login-credentials-for-a-php-application – Gurwinder Singh Dec 25 '16 at 09:32
  • One more -- http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php – Gurwinder Singh Dec 25 '16 at 09:32
  • Just google before posting – Gurwinder Singh Dec 25 '16 at 09:33
  • the file being put in a public directory should not be a problem as long as you make sure that it is executed before the response is sent to the visitor of your website. If not, the file will be returned in plaintext and hence your credentials will be shown. An alternative approach is - for example - to put your credentials into environment variables and read them in PHP. Like that they can never be leaked. – Michael Lihs Dec 25 '16 at 09:41
  • imo, If you are learning about connecting to database in PHP then I suggest learning PDO. It is 'easier' as it makes sensible assumptions about 'common stuff'. An excellent site for all things PDO: https://phpdelusions.net/pdo – Ryan Vincent Dec 25 '16 at 10:14
  • `$conn = mysqli(..)` should be `$conn = new mysqli(...)` or `$conn = mysqli_connect(..)` – Tolios Dec 25 '16 at 11:17
  • @RyanVincent There's nothing wrong with doing MySQLi (given you actually use prepared statements, as with PDO), suggesting to use another API when the mistake in OPs question is a simple typo seems a bit drastic. Personal opinion, sure, but I like to encourage everyone to try *both* mysqli and PDO, to see which one *they* like best ;-) – Tolios Dec 25 '16 at 11:18
  • @tolios, I agree that my comment was personal. I did start the comment with an `imo,` (in my opinion). 2) The OP mentioned that they were just starting to learn about it. I didn't say anything negative about `mysqli`. Like yourself, I am familiar with both. – Ryan Vincent Dec 25 '16 at 11:25

5 Answers5

0

Connecting using the mysqli extension gives you the ability to use newer MySQL features such as transactional queries and parameterised queries which aren't available using the older mysql extension.

Have a look at MySQL Improved Extension @ php.net

Md. Abutaleb
  • 1,590
  • 1
  • 14
  • 24
0

Your mysql should be mysqli_connect ()

Adetona
  • 27
  • 1
  • 6
0

You can store database credentials anywhere, but better store them somewhere OUTSIDE of your main PHP folder, using this approach:

/config/db.config.php

<?php
define('DB_USER', 'root');
define('DB_PASS', 'pass');
define('DB_DATABASE', 'database');
define('DB_HOST', 'host');

If you will store it INSIDE of your php folder, each time, when you copy your code from local to web, you will override your configurations. Also, such file is safe (if you will accss it from web, you will see nothing), but I stil advice to put here .htaccess file with deny for all content. Also, I can advice DO NOT USE mysqli_connect without any wrapper. (better use PDO with parametrised queries). But, if you want to work with mysqli, better search in web for good wrapper, or write it by self. From my experience, most better way to work with mysqli is create class with static functions:

class DB {
   public static function init($dbHost, $dbUser, $dbPass, $db);
   public static function getTable($query);//get array of arrays
   public static function getRow($query);//get array (one database row)
   public static function getCell($query);//get single value
   public static function getColumn($query);//get array (column)
   public static function query($query);//update, delete, insert
}

because with this class you will be able to get data in any place of your script using something:

$list = DB::getTable("select * from table");
degr
  • 1,559
  • 1
  • 19
  • 37
0

You forgot new before instantiating the MySQLi connection.

Try this instead:

$conn = new mysqli($servername, $username, $password, $dbname);
GROVER.
  • 4,071
  • 2
  • 19
  • 66
0

please try this 

<?php
           $servername = "localhost";
           $username = "abc";
           $password = "abc";
           $dbname = "abc";


          // Create connection
          $conn = mysqli_connect($servername, $username, $password, $dbname);

           $name = $_POST['name'];
           $phn = $_POST['phn'] ;
          ?>
Mohit Yadav
  • 471
  • 8
  • 17