I'm moving from Cold Fusion to PHP and I have a question that none of
the books I have answers adequately:
In Cold Fusion, database connection parameters like the table, username
and password are configured on the server. Since they are at the
backend, nothing is exposed on the page except the queries themselves.
In PHP, from what I see, the database info is on the page. Is this not a
security risk? How can one be sure that this info is not on the page
sent to the user?
TIA 7 2004
Lorenzo Thurman wrote: I'm moving from Cold Fusion to PHP and I have a question that none of the books I have answers adequately: In Cold Fusion, database connection parameters like the table, username and password are configured on the server. Since they are at the backend, nothing is exposed on the page except the queries themselves. In PHP, from what I see, the database info is on the page. Is this not a security risk? How can one be sure that this info is not on the page sent to the user?
How is the database login info sent to the user? It's only going to be if
you write it out to html.
Consider the following:
<?php
$dbhost = 'localhost';
$database = 'foo';
$login = 'foo';
$password = 'bar';
....
$dbconn = mysql_connect($dbhost, $login, $password);
mysql_select_db($database, $dbconn);
?>
I can't see how any of that will be sent to the browser unless the page is
not saved with the appropriate extension eg .php - the only stuff between
<? and ?> tags that is sent to the browser is anything you "print" or
"echo".
--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
Lorenzo Thurman wrote: I'm moving from Cold Fusion to PHP and I have a question that none of the books I have answers adequately: In Cold Fusion, database connection parameters like the table, username and password are configured on the server. Since they are at the backend, nothing is exposed on the page except the queries themselves. In PHP, from what I see, the database info is on the page. Is this not a security risk? How can one be sure that this info is not on the page sent to the user?
It is possible to set the database authentication details in the server
config with PHP. Have a look in php.ini, and the mysql.default_user,
mysql.default_password etc.
Tommy
Everything in the php tags (in a file with the php extension) gets processed
by the script processor server side so it will only ever appear as html (or
javaScript/VBScript) on the client side. You won't be able see any php
client side unless you have the wrong file extension, don't close the php
tags or don't have php installed & working properly on the server.
Tony.
"Tommy Gildseth" <gi*************@spam.start.no> wrote in message
news:cn**********@news.tdcnorge.no... Lorenzo Thurman wrote: I'm moving from Cold Fusion to PHP and I have a question that none of the books I have answers adequately: In Cold Fusion, database connection parameters like the table, username and password are configured on the server. Since they are at the backend, nothing is exposed on the page except the queries themselves. In PHP, from what I see, the database info is on the page. Is this not a security risk? How can one be sure that this info is not on the page sent to the user?
It is possible to set the database authentication details in the server config with PHP. Have a look in php.ini, and the mysql.default_user, mysql.default_password etc.
Tommy
In article <cn**********@news.tdcnorge.no>,
Tommy Gildseth <gi*************@spam.start.no> wrote: Lorenzo Thurman wrote: I'm moving from Cold Fusion to PHP and I have a question that none of the books I have answers adequately: In Cold Fusion, database connection parameters like the table, username and password are configured on the server. Since they are at the backend, nothing is exposed on the page except the queries themselves. In PHP, from what I see, the database info is on the page. Is this not a security risk? How can one be sure that this info is not on the page sent to the user?
It is possible to set the database authentication details in the server config with PHP. Have a look in php.ini, and the mysql.default_user, mysql.default_password etc.
Tommy
To elaborate further, Chris Shifflet has a great article on this: http://shiflett.org/articles/security-corner-mar2004
--
DeeDee, don't press that button! DeeDee! NO! Dee...
In article <vi**************************@news.giganews.com> ,
"Michael Vilain <vi****@spamcop.net>" wrote: In article <cn**********@news.tdcnorge.no>, Tommy Gildseth <gi*************@spam.start.no> wrote:
Lorenzo Thurman wrote: I'm moving from Cold Fusion to PHP and I have a question that none of the books I have answers adequately: In Cold Fusion, database connection parameters like the table, username and password are configured on the server. Since they are at the backend, nothing is exposed on the page except the queries themselves. In PHP, from what I see, the database info is on the page. Is this not a security risk? How can one be sure that this info is not on the page sent to the user?
It is possible to set the database authentication details in the server config with PHP. Have a look in php.ini, and the mysql.default_user, mysql.default_password etc.
Tommy
To elaborate further, Chris Shifflet has a great article on this:
http://shiflett.org/articles/security-corner-mar2004
Thanks, I'll check it out
--
"My Break-Dancing days are over, but there's always the Funky Chicken"
--The Full Monty
In article <lh*******************@news.indigo.ie>,
"Tony Clarke" <cl*****@eircom.net> wrote: You won't be able see any php client side unless you have the wrong file extension, don't close the php tags or don't have php installed & working properly on the server
Ok, I think I understand.
--
"My Break-Dancing days are over, but there's always the Funky Chicken"
--The Full Monty
In article <11*************@216.128.74.129>,
Chris Hope <bl*******@electrictoolbox.com> wrote: I can't see how any of that will be sent to the browser unless the page is not saved with the appropriate extension eg .php - the only stuff between <? and ?> tags that is sent to the browser is anything you "print" or "echo".
OK, makes sense, thanks.
--
"My Break-Dancing days are over, but there's always the Funky Chicken"
--The Full Monty This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Sylvain Provencher |
last post by:
Hi!
There is a way to obtain tables and fields info from an SQL connection. like
tables name, fields name, type and width ?
I'm writing a VB.NET application.
Thanks
|
by: NotGiven |
last post by:
I am new to patterns and want to learn how to implement the PAGE CONTROLLER
model for a web site that has log-in and where the pages are dynamic
database driven pages.
I will have many questions...
|
by: Ben Fidge |
last post by:
What are best practices for page output caching on pages that are dynamically
generated from database tables.
Our site has left-hand navigation that is comprised of dynamically generated
menus...
|
by: maxvalery |
last post by:
Hi,
I have been scouring the Internet for a good read on creating webpages
whose address depends on data retrieved from a from via GET method OR a
MySQL database ... but counldn't find anything...
|
by: blade_in_exile |
last post by:
HI all
i am just wondering if this is at all possible
i know you can get data from mysql database and display it in a table format
what i would like to know is if it is possible to show the...
|
by: JJ |
last post by:
I want to create a web site with the page content being driven by my sql
database. This would form the basis of a simple content management system.
i.e. a particular page may be accessed by the...
|
by: gyap88 |
last post by:
I am currently using vb 2005. I have 3 columns in my database. One containing all the email address,another containing usernames, another containing password.
My program has this button whereby...
|
by: spider87 |
last post by:
Hi, I'm using databases to try to make an AI that reads a random database entry based on the point in conversation. My problem at the moment is the database. I have it connected and am able to...
|
by: JRussell |
last post by:
Hi,
I am trying to download sql database through asp on my webpage and I keep getting weird outcomes in Excel. I have had to put in <char10> and <char13> into my sql data to have it display...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |