Does database connection and functions get destroyed/removed when i change the connection details?


Does database connection and functions get destroyed/removed when i change the connection details?



So i want to ask a question about the database connection with msqli and php.
So when i make a connection with


$db = parse_url(getenv("DATABASE_URL"));
$db_host = $db['host'];
$db_user = $db['user'];
$db_pass = $db['pass'];

$conn = new mysqli($db_host, $db_user, $db_pass);

if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";



Everything works.
But if someone is able to echo/show the variables its not safe because then the person has access to the information and database. What if i do this:


$db_host = "";
$db_user = "";
$db_pass = "";



after the connection is made. is this safer than doing nothing?



If there is another way to secure it, I would be happy to know



Thanks - Samir





Run this code and see. Simple, isn't it?
– u_mulder
Jul 3 at 7:01





Alright. That fixed 1 question :). but is it useful for security, or does this nothing?
– Samir
Jul 3 at 7:04





What does it mean - someone is able? Someone has access to your files? If someone has - it doesn't matter what you do with variables, someone can read all your files.
– u_mulder
Jul 3 at 7:08





Thanks for the answer!
– Samir
Jul 3 at 7:09




2 Answers
2



The first question is already answered in the comments by u_mulder so I'll answer your second question in regards to the securing the database connections.



First of all, it's an issue in itself that you don't trust the developers working on this code.



Second, if you partition your code into different projects and repositories then you'll be able to control which developer has access to which project/repo. The way I have done it in the past (but for different reasons) is by having a project that's responsible for connecting to the database and retrieving/storing/updating any data and all my other modules/projects are calling it to get some data from the database.
That would be like having a private API between your database and the application.



Another solution would be to limit the kind of queries that particular database user can run, if you're worried about them accessing the database and using it for running a query that isn't being run in the database then just don't allow that user to run any queries that are outside the codebase (i.e. if the user only views tableX in the code, give that user the view privilege for tableX only)



Note: A good practice to take additional precaution when DB and or Session etc.. involved. Could implement proper verification on the back-end to verify user accessing from a valid URL/IP address etc or perform truncation technique to allow redirect to login page and DB connection if valid else bounce them to an off-site. Destroy or clear your session whenever not passing.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

api-platform.com Unable to generate an IRI for the item of type

api-platform.com Unable to generate an IRI for the item of type I'm trying to setup my first api-platform instance and have run into some presumably noob questions around IDE. What i'm trying to do is setting up an register and reset entity in order to deal with registrations and password reminders from an app. And then have the entity's passed to a custom controller to do some checks, balances and mails afterwards (haven’t gotten around to that yet). But I keep running into this error when posting to my custom entities: { "@context": "/api/contexts/Error", "@type": "hydra:Error", "hydra:title": "An error occurred", "hydra:description": "Unable to generate an IRI for the item of type "AppXXXUserBundleEntityRegister"", "trace": [ { "namespace": "", "short_class": "", "c
Read more

How to set up datasource with Spring for HikariCP?

How to set up datasource with Spring for HikariCP? Hi I'm trying to use HikariCP with Spring for connection pool. I'm using jdbcTempLate and JdbcdaoSupport. This is my spring configuration file for datasource: <bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource"> <property name="dataSourceClassName" value="oracle.jdbc.driver.OracleDriver"/> <property name="dataSource.url" value="jdbc:oracle:thin:@localhost:1521:XE"/> <property name="dataSource.user" value="username"/> <property name="dataSource.password" value="password"/> </bean> But unfortunately the following error message is generating: Cannot resolve reference to bean 'dataSource' while setting bean property 'dataSource'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataSource'
Read more

PHP contact form sending but not receiving emails

PHP contact form sending but not receiving emails I have created a contact form using PHP to send the data. The form seems to send fine as there are no errors and success message appears, however I am not receving the emails into the designated inbox. I am using PHPMailer as I originally tried just using the php 'mail' command which I now understand is a bit hit and miss. I cannot see why I would not be receving the emails so I would be very grateful for any help that could be given. I'm quite new to PHP so please be patient with me :) <?php use PHPMailerPHPMailerPHPMailer; use PHPMailerPHPMailerException; $msg = ""; if (isset($_POST['submit'])) { require 'phpmailer/src/Exception.php'; require 'phpmailer/src/PHPMailer.php'; require 'phpmailer/src/SMTP.php'; function sendemail ($to, $from, $body) { $mail = new PHPMailer(true); $mail->setFrom($from); $mail->addAddress($to); $ma
Read more