Re: Newbie Security Questions

On Nov 24, 11:31 am, Dan <djdr...@xxxxxxxxx> wrote:
Hello!

I've got some misc. questions about PHP and its usage with MySQL.

The following web page:

http://www.freewebmasterhelp.com/tutorials/phpmysql/3

shows that it is normal to include mysql database usernames and
passwords in the php file. Is this good programming practice? I'm
worried that people would be able to read my php file through a web
browser or through other nefarious means.

This is the statement that must be in the source file to connect to a
database:

mysql_connect(localhost,$username,$password);

with $username and $password defined elsewhere in the source file.
This seems scary to me!

How to properly defend against an injection attack? Wikipedia has the
following code as for how to defend:

$query_result = mysql_query
(
"select * from users where name = '"
.
mysql_real_escape_string($user_name, $dbh)
.
"'"
);

If this is all it takes to defend against the attacks why is such a
big deal made about them? Is there something more that you need to
defend against?

Also one more question on how to keep track of people who are
submitting information on a website. How to set a time limit to how
often people can submit information? This is easy to do on the client
side, just disable the button for a set amount of time, but if they
went hunting through my html and found the php script they could
easily whip up a program to POST information willy nilly as fast as
they wanted.

Also any more information or websites that would contain useful
information for newcomers to PHP and MySQL would be grand!

Thanks a lot!

I would be inclined to put the username, password, etc in a seperate
file. There are a number of advantages, the main one being if you
accidentally delete the '<?php' tag, the sensitive information won't
be automatically displayed.

Unlikely I know, but might as well be safe.

Rob.
.