How can I safely link and use MySQL databases with a webpage using PHP?

Question

I know this is a begginer question but I did not find any good tutorials/advices so StackOverflow was my last hope.

I'm new to programming and I'm trying to make a website that uses a MySQL database to store users data such as login info, their content in the site, etc.

What I would like to know is how to safely and propely link the MySQL DB to my website and get/send data from/to it.

Now, my server looks like this:

www 
 |__ public_html (my site html, assets, css and js)
 |__ php (where I think I should put my php files, outside the public http)

Inside the php folder, I have a config.ini file that contains the DB's address, username and password. Also inside this folder, I have my single .php file, that looks like this:

<?php

function db_connect() {

    static $connection;

    if(!isset($connection)) {
        $config = parse_ini_file('config.ini');
        $connection = mysqli_connect($config['host'],$config['username'],$config['password'],$config['dbname']);

    }

    if($connection === false) {
        return mysqli_connect_error();
    }
    return $connection;
}

How can I start this connection in my website and use it (send/get data) in a safe way so I don't get attacked throught a SQL Injection?

EDIT: I'm hosting my site with a company and the PHP version is 7.2 but I can change it. I also have at my root folder more files/folder that weren't created by me, like .bash_profile, php.ini, and .gemrc

Answer 1

Your .php files should be placed in public_html folder so they can be processed by your webserver (default root folder should be public_html).

The connection of the DB does not have anything to do with SQL injection, it's the query string that you need to pay attention to. General idea is to verify user's inputs before executing the query. More details can be found at How can I prevent SQL injection in PHP?

Answer 2

This question is really broad. Anyway Like others has stated, You will need to move all your files into public_html directory so that your site will come up and be alive online.

As for your database, you will need to login into Control Panel or Plesk or whatever you are using to create your database user, password and other information's and ensure that you assign the db user all the necessary priviledges needed to run the site like Insert, update, delete etc.

As for SQL Injection Attacks, You will need to used prepared statement for that. The best option is that if you can use PHP Portable Data Object(PDO). Mysqli is fine as long you as you will follow a good coding practice. SQL Injection is explain in details here link.

Let me tell you, there are so many other threats and vulnerabilities you will need to know before moving your app to production otherwise hmmm.

Alot tings needed to be done with your php.ini files and .htacess files. You will need to research on how to secure your web application using .htaccess files and php.ini.

You will need to research on OWAPS Top ten web vunerabilities and how to mitigate them OWAPS link

They are some other security things that you will need to know to get you moving.. see my answers on some of the best security practices link You will need to study about error messages and how to disable them in production This is just little that I can give.. You will aslo need reasearch more on securing web Applications on php