PHP Using PHP with MySQL Querying the Database with PHP Querying the Database

PDO class: Seems it's a bad idea to have the username/password as part of the connection string. How is this dealt with?

Surely in production code, we get this information differently, or am I wrong? It seems one would encrypt things and do all sorts of jumping through hoops. Or is this secret revealed later on in this track?

6 Answers

Gareth Borcherds
Gareth Borcherds
9,372 Points

Not really. The thing with database connections is that it has to be stored in a file somewhere because you can't connect to the database and retrieve it there without the credentials in the first place :)

Typically though when you use a framework of some sort, you'll set these settings in a config file. You'll lock that config file down so that only people with the right access, plus your code, can access the connection settings. If you look at something like the good old wordpress, you'll see that the database connection settings are in config.php. This is actually pretty secure given that you lock your server down well enough to prevent someone from getting access to the file.

For the most part, putting code in a php file though is going to be pretty secure as you have to actually see the file to get the data out of it and that can be locked down. Hope this helps.

Robert Mews
Robert Mews
11,540 Points

Hey Gareth,

You mentioned that you'd typically lock the config file down. Could you elaborate on how one would lock a config file on a server?

Casey Ydenberg
Casey Ydenberg
15,621 Points

Just remember not to push your config file to github.

Al3n MicL
Al3n MicL
6,363 Points

And you should take heed to create a .gitignore file that excludes config files like these from your commit history. Save yourself future headaches even if you're on your localhost.

What I have seen is that a php file is created that contains the database connection info assigned to variables. This file is then included in the inc subdirectory. Then, the PDO class sets the connection via variables and not the actual username password. I have also seen examples where the database info file is not even referenced in an include or require statement in running code but rather in the functions file. For example, the functions.php has the line "require_once 'db_info.php';. Index.php would then have the line: "require_once 'functions.php'; The cal to functions drives the call to db_info.

Thanks Gareth.
I have not worked with frameworks but am planning on diving into the Laravel stuff after I'm done with the PHP track. Maybe that will clarify things more for me on how to work with different user permissions and connections to the db? ...
I just checked out the Laravel documentation on Authentication, so perhaps this is where my answer lies. I just feel like I currently just know enough to be dangerous. Onward ho with the php track, and since it's all on localhost so far, no harm no foul. Thanks again!

PHP is a server side code, so if you have a secure server, your connection details are pretty safe even if you don't "lock down" the permissions for the file.

I don't want to say there's "no" way to do it (because there are some exceptionally talented people out there!), but anything inside php tags is going to be processed on the server. That doesn't mean to say you're file isn't impenetrable, but it means that you're probably going to be fine :-).

A lot of servers will have a 'public' folder which is accessible to the outside world. If you use shared hosting (cheaper, everyday hosting) you will only have access to this directory so your config.php file will sit in there too. Rails and Laravel (frameworks) require specific hosting. Most files of the framework are not in the public directory and have actually a very small amount of code sitting in the public directory. I think Rails only has the server error responses like 404, 502 etc... You can think of them as being set back from the user - adding an additional layer of permission based security like Gareth Borcherds mentioned.

Yes I understand the server sideness of php and that if you secure and lock down things, most is well. But you speak to my fears of the talented people. :-) Obviously, I have a lot to learn. Thanks Tom!

Ahh, well, you anticipated my next move. Hee hee!

Actually, I just got to where all the DB connection string parts are moved to constants in the config file, just like Gareth said, with a note that of course one would not use the root to connect in a production environment. I feel more secure now. Thanks all!