Greetings, fine denizens. I've made significant progress in my project since my first post here some time ago, and I have a question related to a chunk of code I developed to simplify connection to my database. Locally, I need one set of parameters, but after uploading the pages to my web host, I need a different set of connection parameters. Initially, I simply edited the file after uploading it, but that got tiresome quickly, so I came up with the following, which sends the correct parameters based on the SERVER_NAME value:
// Stop script if connection fails.
if (mysqli_connect_errno()) {
printf("Connection failed: %s\n", mysqli_connect_error());
exit();
} else {
return($db);
}
}
?>
The cast double brackets are simply placeholders I put here in this post to indicated where I have coded my actual parameters in the indicated type. (I left "localhost" as it is.)
My question is this: is all this secure on the Web, or is there a way for someone to remotely acquire such stored connection parameters?
> Greetings, fine denizens. I've made significant progress in my project
> since my first post here some time ago, and I have a question related to
> a chunk of code I developed to simplify connection to my database.
> Locally, I need one set of parameters, but after uploading the pages to
> my web host, I need a different set of connection parameters. Initially,
> I simply edited the file after uploading it, but that got tiresome
> quickly, so I came up with the following, which sends the correct
> parameters based on the SERVER_NAME value:
> The cast double brackets are simply placeholders I put here in this post
> to indicated where I have coded my actual parameters in the indicated
> type. (I left "localhost" as it is.)
> My question is this: is all this secure on the Web, or is there a way
> for someone to remotely acquire such stored connection parameters?
If it's outside the DOCUMENT_ROOT so no one can download it, it's secure. Otherwise a server misconfiguration can expose you errors.
Why not just include a configuration file on both systems, each with the appropriate settings? Much cleaner and less error prone.
BTW - unless you are the domain owner for mywebhost.com, you should not be using their name. Instead, use example.com, example.org, etc., which have been specifically reserved for such uses.
-- ==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
> If it's outside the DOCUMENT_ROOT so no one can download it, it's
> secure. Otherwise a server misconfiguration can expose you errors.
Nice. Okay.
> Why not just include a configuration file on both systems, each with the
> appropriate settings? Much cleaner and less error prone.
Are you referring to a PHP.INI? If so, I wasn't aware that I could do so on the host. That would definitely simplify some things.
> BTW - unless you are the domain owner for mywebhost.com, you should not
> be using their name. Instead, use example.com, example.org, etc., which
> have been specifically reserved for such uses.
I have no explanation for {not} thinking "mywebhost" wouldn't be an actual site. That is excellent information about "example" domains.
>> If it's outside the DOCUMENT_ROOT so no one can download it, it's
>> secure. Otherwise a server misconfiguration can expose you errors.
> Nice. Okay.
>> Why not just include a configuration file on both systems, each with the
>> appropriate settings? Much cleaner and less error prone.
> Are you referring to a PHP.INI? If so, I wasn't aware that I could do so
> on the host. That would definitely simplify some things.
No, I'm referring to your own configuration file. Your file; include it where you need the information in it. Call it conf.php or whatever; it keeps server-specific information in it.
>> BTW - unless you are the domain owner for mywebhost.com, you should not
>> be using their name. Instead, use example.com, example.org, etc., which
>> have been specifically reserved for such uses.
> I have no explanation for {not} thinking "mywebhost" wouldn't be an
> actual site. That is excellent information about "example" domains.
> TYVM.
-- ==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
> On 2/12/2012 10:50 AM, Aulė wrote:
>> On 2/11/2012 2:46 PM, Jerry Stuckle wrote:
>>> If it's outside the DOCUMENT_ROOT so no one can download it, it's
>>> secure. Otherwise a server misconfiguration can expose you
>>> errors.
>> Nice. Okay.
>>> Why not just include a configuration file on both systems,
>>> each with the
>>> appropriate settings? Much cleaner and less error prone.
>> Are you referring to a PHP.INI? If so, I wasn't aware that I
>> could do so
>> on the host. That would definitely simplify some things.
> No, I'm referring to your own configuration file. Your file;
> include it where you need the information in it. Call it conf.php
> or whatever; it keeps server-specific information in it.
example:
<?
error_reporting(E_ALL); // of course you put this in for testing
require ("myconf.php"); // different on the server and for testing
>>> BTW - unless you are the domain owner for mywebhost.com, you
>>> should not
>>> be using their name. Instead, use example.com, example.org,
>>> etc., which
>>> have been specifically reserved for such uses.
>> I have no explanation for {not} thinking "mywebhost" wouldn't
>> be an
>> actual site. That is excellent information about "example"
>> domains.
> On 2/12/2012 11:13 AM, Jerry Stuckle wrote:
>> On 2/12/2012 10:50 AM, Aulė wrote:
>>> On 2/11/2012 2:46 PM, Jerry Stuckle wrote:
>>>> If it's outside the DOCUMENT_ROOT so no one can download it, it's
>>>> secure. Otherwise a server misconfiguration can expose you
>>>> errors.
>>> Nice. Okay.
>>>> Why not just include a configuration file on both systems,
>>>> each with the
>>>> appropriate settings? Much cleaner and less error prone.
>>> Are you referring to a PHP.INI? If so, I wasn't aware that I
>>> could do so
>>> on the host. That would definitely simplify some things.
>> No, I'm referring to your own configuration file. Your file;
>> include it where you need the information in it. Call it conf.php
>> or whatever; it keeps server-specific information in it.
> example:
> <?
> error_reporting(E_ALL); // of course you put this in for testing
No, this is in the php.ini file, not the code. Of course it will be different in your development and production systems, but should never be set in a production system (at least not for very long).
The only time I enabled error_reporting on a production system was to troubleshoot what ended up being a server configuration problem.
> require ("myconf.php"); // different on the server and for testing
>>>> BTW - unless you are the domain owner for mywebhost.com, you
>>>> should not
>>>> be using their name. Instead, use example.com, example.org,
>>>> etc., which
>>>> have been specifically reserved for such uses.
>>> I have no explanation for {not} thinking "mywebhost" wouldn't
>>> be an
>>> actual site. That is excellent information about "example"
>>> domains.
>>> TYVM.
-- ==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
