PHP and MySQL connection method

Question

I have a .php file called db_conn.php which establishes a connection to the database. Here is the code of the file.

<?php
  $servername = "localhost";
  $username = "root";
  $password = "password";
  $dbname = "db_name";
  $conn = new mysqli($servername, $username, $password, $dbname);
  if ($conn->connect_error) {
      die("Connection failed: ");
  }
  else{
  }
?>

When I need to do some database operations from some other file for example from a login.php file, what I do is I use the include_once() function providing the location to the db_conn.php as the parameter. I do the same for another PHP file which needs DB access. I have a few doubts regarding this practice/method.

1. Is it okay to do this since I use the include_once() function and call the DB connection script more than once? Will it open new connections each time? If yes how should this be implemented?

2. If someone tries to include the file from an external domain by using include_once("www.mywebsite.com/php/db_conn.php") will they be able to execute DB queries on my DB?

Why not use `if(!defined('NO_ACCESS')) die('No script kiddies please');` & then use `define('NO_ACCESS', 0);` in your file before you `require_once` — Jaquarh, Nov 04 '18 at 16:37

score 2 · Accepted Answer · answered Nov 04 '18 at 16:48

Is it okay to do this since I use the include_once() function and call the DB connection script more than once? Will it open new connections each time? If yes how should this be implemented?

Yes, this is fine. Since you're using include_once, PHP will automatically recognize that it's already included the file, skip the second call, and you'll only get one connection. I'd recommend changing this to require_once however, since you want the script to immediately fail if the included file isn't found.

If someone tries to include the file from an external domain by using include_once("www.mywebsite.com/php/db_conn.php") will they be able to execute DB queries on my DB?

Generally, no. Anybody requesting that URL will just get a blank page. However, best practice is to put library files like this outside of the web server's document root. For example:

/path/to/project
    /public
        index.php
    /lib
        db_conn.php

Here, you'd point your web server to /path/to/project/public and then in your index.php, you'd do something like:

require_once '../lib/db_conn.php';

Or maybe:

ini_set('include_path', '/path/to/project/lib');
require_once 'db_conn.php';

This way, your own code can refer to the PHP files in /lib but they can not be requested directly via the web server.

score 0 · Answer 2 · answered Nov 04 '18 at 16:48

1. Is it okay to do this since I use the include_once() function and call the DB connection script more than once? Will it open new connections each time? If yes how should this be implemented?

You should be using require_once("db_conn.php");

http://php.net/manual/en/function.require-once.php

Here are the differences between include(), include_once(), require() and require_once()

Difference between require, include, require_once and include_once?

2. If someone tries to include the file from an external domain by using include_once("www.mywebsite.com/php/db_conn.php") will they be able to execute DB queries on my DB?

If this setting is disabled/not allowed by default in most web servers (php.ini) so you can not use the include to include the files from a remote addresss for security reasons.

If you still want to allow inclusion of remote files, the directive allow_url_include must be set to On in php.ini

But again it is a bad practice, in a security-oriented point of view ; and, so, it is generally disabled (I've never seen it enabled, actually)

If you want to read the contents of a remote file though, you can use the file_get_contents function instead BUT this will be returned as pure HTML markup code, there won't be any server-side code.

Reference: including php file from another server with php

PHP and MySQL connection method

2 Answers2