Does database connection and functions get destroyed/removed when i change the connection details?
Does database connection and functions get destroyed/removed when i change the connection details?
So i want to ask a question about the database connection with msqli and php.
So when i make a connection with
$db = parse_url(getenv("DATABASE_URL"));
$db_host = $db['host'];
$db_user = $db['user'];
$db_pass = $db['pass'];
$conn = new mysqli($db_host, $db_user, $db_pass);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
Everything works.
But if someone is able to echo/show the variables its not safe because then the person has access to the information and database. What if i do this:
$db_host = "";
$db_user = "";
$db_pass = "";
after the connection is made. is this safer than doing nothing?
If there is another way to secure it, I would be happy to know
Thanks - Samir
Alright. That fixed 1 question :). but is it useful for security, or does this nothing?
– Samir
Jul 3 at 7:04
What does it mean - someone is able? Someone has access to your files? If someone has - it doesn't matter what you do with variables, someone can read all your files.
– u_mulder
Jul 3 at 7:08
Thanks for the answer!
– Samir
Jul 3 at 7:09
2 Answers
2
The first question is already answered in the comments by u_mulder so I'll answer your second question in regards to the securing the database connections.
First of all, it's an issue in itself that you don't trust the developers working on this code.
Second, if you partition your code into different projects and repositories then you'll be able to control which developer has access to which project/repo. The way I have done it in the past (but for different reasons) is by having a project that's responsible for connecting to the database and retrieving/storing/updating any data and all my other modules/projects are calling it to get some data from the database.
That would be like having a private API between your database and the application.
Another solution would be to limit the kind of queries that particular database user can run, if you're worried about them accessing the database and using it for running a query that isn't being run in the database then just don't allow that user to run any queries that are outside the codebase (i.e. if the user only views tableX in the code, give that user the view privilege for tableX only)
Note: A good practice to take additional precaution when DB and or Session etc.. involved. Could implement proper verification on the back-end to verify user accessing from a valid URL/IP address etc or perform truncation technique to allow redirect to login page and DB connection if valid else bounce them to an off-site. Destroy or clear your session whenever not passing.
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Run this code and see. Simple, isn't it?
– u_mulder
Jul 3 at 7:01