Securing DB connection in PHP
I am writing a script for website that will take credit cards. I am trying to secure information as much as possible. My biggest issue is with MySQL db setup.
for example:
I have a db_setup.php file (hidden beyond root directory)
//set parameters $dbuser = 'user'; $dbpassword = 'passwor-secret'; $dbname = 'dbname'; //connect $link = mysql_connect('localhost', $dbuser, $dbpassword); //destroy trivial info unset($dbpassword); unset($dbuser); if (!$link) { die('Could not connect: ' . mysql_error()); } $db_selected = mysql_select_db($dbname, $link); if (!$db_selected) { die ('isses with DB : ' . mysql_error()); } unset($dbname);
require('../protected/db_setup.php');
THE PROBLEM:
IF, and only IF php engine on the webserver chokes and decides to dump all php files in text form (instead of interpreting), whoever is accessing that site can read all my secrets in PLAIN TEXT!!!
How would you prevent that from happening?
I wonder if you're asking, but TrueStory how often does PHP engine crashes?
Well, a hacker can forcefully pass large information to server (in file upload form or in any user input form on the site)
I want to prevent my db_setup.php from being included (but still executed) at all! Even if php engine would never crash.
Gracias!
Your business matters only to people that matter to your business[/U][/B] - Reach them?