0

I'm using a PHP file stored on my host to connect to a database stored on the same host, this is working fine.

I am using the below to connect to the database (example connection details)

<?php
$db = new PDO('mysql:host=localhost;dbname=myDB', 'myusername', 'mypassword');

My question is; seeing as I have specified the password (and other details) to connect to my server in my PHP file, can't someone with the direct link to my PHP file just download it and open it in a text editor to see those details?

If so, should I be passing the connection details to the php file like this:

<?php
$server = $_POST['server'];
$database = $_POST['database'];
$username = $_POST['username'];
$password = $_POST['password'];
$db = new PDO('mysql:host=$server;dbname=$database', $username, $password);
Dharman
  • 30,962
  • 25
  • 85
  • 135
BTS
  • 3
  • 4
  • Single quoted strings aren't interpolated in PHP so $server remains as a literal. Use double quotes "". – danblack Sep 17 '18 at 05:02
  • 1
    Hello @BTS, welcome to stackoverflow. Ideally, your database credentials should be protected and should be passed as environment variables. If you're trying this as a learning experience, then perhaps declaring your database credentials should be done via a configuration file you can easily name config.php, import it to your file where you will create the database connection and set the variables there. – CodeTrooper Sep 17 '18 at 05:03
  • 1
    Nobody will be able to get the values of your variables if they load your php page through their web browser. PHP interprets the code and outputs whatever it's told. In the case of your code, it would be a blank page. `$_POST` is a special variable that stores information received when somebody makes a `POST` request (usually through a web form) and is not appropriate for setting your database connection variables. – Jacob Mulquin Sep 17 '18 at 05:06
  • I've learnt my lesson about PHP's string interpolation haha – BTS Sep 17 '18 at 15:00
  • So using $_POST is not appropriate for the database connection, and I am aware loading the url to the php file through a web browser will just execute the code. But if the php file's url is known, wouldnt there be a way to just download the php file from my host where the connection details are mentioned, then just open it in a text editor to see (and exploit) the details? – BTS Sep 17 '18 at 15:30
  • Does this answer your question? [How to secure database passwords in PHP?](https://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php) – Nico Haase Aug 06 '20 at 12:56

2 Answers2

0

Your variable $server and $database are not interpreted correctly as you are using single quote '. You need to use double quote " to correctly pass variable values. (Refer for more details What is the difference between single-quoted and double-quoted strings in PHP?) Change your code as below.

<?php
$server = $_POST['server'];
$database = $_POST['database'];
$username = $_POST['username'];
$password = $_POST['password'];
// Replaced ' with "
$db = new PDO("mysql:host=$server;dbname=$database", $username, $password);
Divyesh Prajapati
  • 975
  • 5
  • 14
0

Expanding a bit on my comment, ideally you want to have this in separate files, one used for global configuration you can then import to your other modules like the example below.

Config.php file: 

<?php

$HOST = 'hostname';
$DB = 'dbname';
$USER = 'username';
$PWD = 'password';
... other variables and global config ...
?>

DB Connection File:

<?php

include 'config.php';

$db = new PDO("mysql:host=$HOST;dbname=$DB", $USER, $PWD);
?>

Notice how the string inside the PDO connection is double quoted, because if single quoted, string interpolation won't work.

CodeTrooper
  • 1,890
  • 6
  • 32
  • 54