I’m no security guru. But I mostly learn stuff the hard way (Or having a mentor/partner smacking me in the head to do stuff… Which is still a hard way).
If you’re using MySQL databases, you’ll most likely have some sort of config file that has at least the following variables:
* Database name
* Database username
* Database password
You think thats stupid? It’s actually not. To prove it, its been used in so many popular frameworks such as WordPress, Joomla, and OSCommerce.
Anyway, I’ll list few practices I follow. If you have more (Or better), please, by all means, enlighten me! (I’m not being sarcastic, I’m kinda lost)
convert config file to config.php
Convert your regular config file to PHP by doing three things:
1. Adding “.php” at the end. Why? Because if you didn’t, the file can be directly accessed and viewed as a text file. Which means whoever directly requests “http://yourwebsite.com/config.file” will see the database credentials in plain text!
2. Do something like this:
<?php $database_name = "dbname"; $database_username = "dbusername"; $database_password = "dbpassword"; ?>
3. REQUIRE your “config.php” file in your main PHP code:
Why step 2 and 3?
Well, step 2 is to ensure that if config.php was accessed directly, it will be compiled and show nothing to the user.
Step 3 is to stop running the PHP code IF THERE CONFIG FILE ISN’T THERE to include and work on. If you used “include” instead of “require”, the code will run even if the “config.php” file doesn’t exist which can lead to errors and potential CODE INJECTION
4. Change “config.php” permission to “0644”.
Why? To prevent access of unwanted people.
5. Move the config file to some mother directories that aren’t accessible online.
For example, if your config.php is in “myaccount/public_html/MyWebsite/config.php” (Taking a shared webhost account here as an example), move it to “myaccount” folder and in your code, change the require file from:
Why? So it can’t be accessed by browsers.
Stay tuned for more PHP quickies 😀