PDO class: Seems it's a bad idea to have the username/password as part of the connection string. How is this dealt with?
Surely in production code, we get this information differently, or am I wrong? It seems one would encrypt things and do all sorts of jumping through hoops. Or is this secret revealed later on in this track?
Gareth Borcherds9,372 Points
Not really. The thing with database connections is that it has to be stored in a file somewhere because you can't connect to the database and retrieve it there without the credentials in the first place :)
Typically though when you use a framework of some sort, you'll set these settings in a config file. You'll lock that config file down so that only people with the right access, plus your code, can access the connection settings. If you look at something like the good old wordpress, you'll see that the database connection settings are in config.php. This is actually pretty secure given that you lock your server down well enough to prevent someone from getting access to the file.
For the most part, putting code in a php file though is going to be pretty secure as you have to actually see the file to get the data out of it and that can be locked down. Hope this helps.
What I have seen is that a php file is created that contains the database connection info assigned to variables. This file is then included in the inc subdirectory. Then, the PDO class sets the connection via variables and not the actual username password. I have also seen examples where the database info file is not even referenced in an include or require statement in running code but rather in the functions file. For example, the functions.php has the line "require_once 'db_info.php';. Index.php would then have the line: "require_once 'functions.php'; The cal to functions drives the call to db_info.
I have not worked with frameworks but am planning on diving into the Laravel stuff after I'm done with the PHP track. Maybe that will clarify things more for me on how to work with different user permissions and connections to the db? ...
I just checked out the Laravel documentation on Authentication, so perhaps this is where my answer lies. I just feel like I currently just know enough to be dangerous. Onward ho with the php track, and since it's all on localhost so far, no harm no foul. Thanks again!
Yes I understand the server sideness of php and that if you secure and lock down things, most is well. But you speak to my fears of the talented people. :-) Obviously, I have a lot to learn. Thanks Tom!
Ahh, well, you anticipated my next move. Hee hee!
Actually, I just got to where all the DB connection string parts are moved to constants in the config file, just like Gareth said, with a note that of course one would not use the root to connect in a production environment. I feel more secure now. Thanks all!