Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 2 down vote favorite

Well, I'm creating Database connection with following php code: 

<?php 
define('DB_HOST', 'localhost');
define('DB_USER', 'root');
define('DB_PASSWORD', '');
define('DB_DATABASE', 'evantechbd');

$db = mysql_connect(DB_HOST, DB_USER); 
if (!$db)
{
die('Could not connect to Server: ' . mysql_error());
}
if (!mysql_select_db("evantechbd",$db))
{
die('Could not connect to DataBase : ' . mysql_error());
} 
?>

Is it really secure ?

share|improve this question
2  
Is there some specific reason you're worried this isn't secure? Also, the mysql_* functions are being deprecated. – ceejayoz Jan 21 '12 at 18:50
What is latest function? – user1161867 Jan 21 '12 at 18:52
PDO is a good choice. – ceejayoz Jan 21 '12 at 18:54
Thanks for you suggestion @ceejayoz – user1161867 Jan 21 '12 at 18:58

2 Answers

up vote 1 down vote accepted

Secure against what?

If you want it to secure against "rough module", it's not. All defined values will be accessible anywhere in included file (you should use config and unset it unset initialization).

$config = parse_ini_file( 'configs/config.php');
mysqli_connect( isset( $config['host']) ? $config['host'] : 'localhost',
    isset( $config['user']) ? $config['user'] : 'root', ...);
// Select DB
unset( $config);
// Prohibit your modules from opening any file

Against webuser? Again no. You're displaying error to end user. You're telling anyone that you're connection to localhost with user root if connection fails for any reason (you should use throw an exception, trigger error and notify user just about database error, send mail to yourself and log the error).

And using root without password is quite a big security issue, but I'm assuming that's just example data.

share|improve this answer
+1. Also, using the root user in production code isn't a good idea either. A specific user should be created for each application on the server, so if the database information should get compromised, only one site would be affected. – kba Jan 21 '12 at 18:55
can you please give an example? – user1161867 Jan 21 '12 at 18:58
@KristianAntonsen yeah, you're right. We allow connection only from localhost on our mysql servers which makes great deal in security, but there are still applications (such as phpMyAdmin) which can be abused. I prefer naming users like web_ae79ec (with random hash as suffix) and long (about 8-20 characters) password. – Vyktor Jan 21 '12 at 18:59
@user1161867 example for? – Vyktor Jan 21 '12 at 19:00
example about your first suggestion – user1161867 Jan 21 '12 at 19:03
show 2 more comments
up vote 2 down vote

The biggest security issue is that your root database user really should have a password.

share|improve this answer
Well, i'm just test it on my localhost server. when i upload it to server i must be change this. But is it secure? – user1161867 Jan 21 '12 at 18:53
Define "secure". What are you trying to protect against? Other parts of your code are more likely to be an issue. – ceejayoz Jan 21 '12 at 18:54
protect to hacking.. What is the issue? – user1161867 Jan 21 '12 at 18:56
The issue is that this code does essentially nothing by itself. There's not really any avenue for a web user to attack here, but when dealing with SQL, there are plenty of things to protect against, like SQL injection. – ceejayoz Jan 21 '12 at 18:59
1  
None of this code is vulnerable to SQL injection, as you aren't actually doing anything with SQL other than connecting in this code. See en.wikipedia.org/wiki/SQL_injection – ceejayoz Jan 21 '12 at 19:06
show 2 more comments

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.