Ok, I'm new to PHP and MySQL. I've been going through tutorials, reading the
documentation, and looking through web sites. PHP to me seems great! With
MySQL it seems even better.
However, I'm an experienced C++ programmer. This has allowed me to see many
potential areas where the security of a server can be compromised through
loopholes in PHP. Granted, with the right knowledge these potential threats
can be avoided. But I've just started and while I may have found some,
certainly I haven't seen all or at least the most common mistakes.
So then, what I'm asking for is a list, based on the experiences of the PHP
and MySQL community at large, of potential areas to watch out for. Basically
a Dos and Don'ts list, mostly with the Don'ts. If there is a web site that
is consider the source for this sort of info, please let me know. I have
seen many, but so far have not found a definitive one.
Also, I have some specific questions:
Everytime I connect to a database, I have to supply a username and password
in my PHP file (duh). This bothers me, cause it seems like someone could
easily find there way to this file. I guess I have two questions. A normal
user on the web with no special access to my server (assuming they don't
have some weird backdoor they found) can't view the PHP file, right? Because
it is executed and translated on the server end before every leaving the
server to go to the user and pop up on their browser. They can't somehow get
at the original source or get the password to the database, right?
If I do give somehow access to the server (let's say using FTP), I have to
make sure not to give them access to my PHP stuff. If they do want their own
database, what should I do? I'm assuming the best course of action is to
create a database for them and a new MySQL username for them, giving only
that username access to that database.
Thanks for help.