Ok, I am a newbie. But now I have tried everything. My quest is to put
the MySQL host name, user name, password, databasename and table-name
in a separate file outside our web domain and call these variables via
include (into my PHP-file).
But it wont work! The path & diectories are all fine, the PHP script
works perfect (at last before I decided to move this critical
information).

This is the script:
<?php //starts here...
include ("/home/secret/protect/the_imported_mysqldata.inc");
$link=LinkUp($host,$username,$password)or die("Cant connect");
mysql_select_db($db_name)or die("cant choose db");

$sql="SELECT secret_variable FROM $tbl_name WHERE username='$username'
AND password='$password'";
$result=mysql_query($sql);

(and so on)

here is the included "the_imported_mysqldata.inc":
<?php
$host="the.secret.host";
$username="secret_as_stone";
$password="very_secret";
$db_name="secret_db";
$tbl_name="the_actual_table";

function LinkUp($host,$username,$password)
{
$mysql_link=mysql_connect($host,$username,$passwor d);
return $mysql_link;
}
?>

What have I done wrong? Please??

> here is the included "the_imported_mysqldata.inc":
> <?php
> $host="the.secret.host";
> $username="secret_as_stone";

What happens if you use the require statement instead of include? If it
still does not want to connect, but does include the file, try using the
$GLOBALS array (like: $GLOBALS['host'] = 'the.secret.host'.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/

"Nosferatum" <John.Olav.O@gmail.com> wrote in message
news:1175027060.627223.175550@n59g2000hsh.googlegr oups.com...
> Ok, I am a newbie. But now I have tried everything. My quest is to put
> the MySQL host name, user name, password, databasename and table-name
> in a separate file outside our web domain and call these variables via
> include (into my PHP-file).
> But it wont work! The path & diectories are all fine, the PHP script
> works perfect (at last before I decided to move this critical
> information).
>
> This is the script:
> <?php //starts here...
> include ("/home/secret/protect/the_imported_mysqldata.inc");
> $link=LinkUp($host,$username,$password)or die("Cant connect");
> mysql_select_db($db_name)or die("cant choose db");
>
> $sql="SELECT secret_variable FROM $tbl_name WHERE username='$username'
> AND password='$password'";
> $result=mysql_query($sql);
>
> (and so on)
>
> here is the included "the_imported_mysqldata.inc":
> <?php
> $host="the.secret.host";
> $username="secret_as_stone";
> $password="very_secret";
> $db_name="secret_db";
> $tbl_name="the_actual_table";
>
> function LinkUp($host,$username,$password)
> {
> $mysql_link=mysql_connect($host,$username,$passwor d);
> return $mysql_link;
> }
> ?>
>
> What have I done wrong? Please??
>


I am probably mistaken, but do you need to have "<?php" and "?>" in the
include file, as the file will be included within a section of code that's
already wrapped in the start/end php codes?

On Mar 28, 4:23 pm, "Sean" <sean.anderson@[nospam]oakleafgroup.biz>
wrote:
> "Nosferatum" <John.Ola...@gmail.com> wrote in message
>
> news:1175027060.627223.175550@n59g2000hsh.googlegr oups.com...
>
>
>
> > Ok, I am a newbie. But now I have tried everything. My quest is to put
> > the MySQL host name, user name, password, databasename and table-name
> > in a separate file outside our web domain and call these variables via
> > include (into my PHP-file).
> > But it wont work! The path & diectories are all fine, the PHP script
> > works perfect (at last before I decided to move this critical
> > information).
>
> > This is the script:
> > <?php //starts here...
> > include ("/home/secret/protect/the_imported_mysqldata.inc");
> > $link=LinkUp($host,$username,$password)or die("Cant connect");
> > mysql_select_db($db_name)or die("cant choose db");
>
> > $sql="SELECT secret_variable FROM $tbl_name WHERE username='$username'
> > AND password='$password'";
> > $result=mysql_query($sql);
>
> > (and so on)
>
> > here is the included "the_imported_mysqldata.inc":
> > <?php
> > $host="the.secret.host";
> > $username="secret_as_stone";
> > $password="very_secret";
> > $db_name="secret_db";
> > $tbl_name="the_actual_table";
>
> > function LinkUp($host,$username,$password)
> > {
> > $mysql_link=mysql_connect($host,$username,$passwor d);
> > return $mysql_link;
> > }
> > ?>
>
> > What have I done wrong? Please??
>
> I am probably mistaken, but do you need to have "<?php" and "?>" in the
> include file, as the file will be included within a section of code that's
> already wrapped in the start/end php codes?

Yes you are - and yes you do! Correct me if I'm wrong but I think the
file server also needs permission to read the folder in which the
include is buried.
I know nothing whatsoever about security but I would have thought that
just putting the includes in a folder just outside the htdocs path
would be safe enough.

The folder would not need to be called anything like 'include'.
Likewise, I think the file can have any extension you care to give it

strawberry wrote:
> On Mar 28, 4:23 pm, "Sean" <sean.anderson@[nospam]oakleafgroup.biz>
> wrote:
>
>>"Nosferatum" <John.Ola...@gmail.com> wrote in message
>>
>>news:1175027060.627223.175550@n59g2000hsh.google groups.com...
>>
>>
>>
>>
>>>Ok, I am a newbie. But now I have tried everything. My quest is to put
>>>the MySQL host name, user name, password, databasename and table-name
>>>in a separate file outside our web domain and call these variables via
>>>include (into my PHP-file).

> I know nothing whatsoever about security
Um.

> but I would have thought that
> just putting the includes in a folder just outside the htdocs path
> would be safe enough.

The problem is that the web server, usually Apache, runs CGI programs
as user "nobody". It can't read your non-public files. If you
make the password file readable by any user,
anybody else on the machine can read it, which is terrible in shared
server environments.

John Nagle

On Mar 28, 9:00 pm, John Nagle <n...@animats.com> wrote:
> strawberry wrote:
> > On Mar 28, 4:23 pm, "Sean" <sean.anderson@[nospam]oakleafgroup.biz>
> > wrote:
>
> >>"Nosferatum" <John.Ola...@gmail.com> wrote in message
>
> >>news:1175027060.627223.175550@n59g2000hsh.google groups.com...
>
> >>>Ok, I am a newbie. But now I have tried everything. My quest is to put
> >>>the MySQL host name, user name, password, databasename and table-name
> >>>in a separate file outside our web domain and call these variables via
> >>>include (into my PHP-file).
> > I know nothing whatsoever about security
>
> Um.
>
> > but I would have thought that
>
> > just putting the includes in a folder just outside the htdocs path
> > would be safe enough.
>
> The problem is that the web server, usually Apache, runs CGI programs
> as user "nobody". It can't read your non-public files. If you
> make the password file readable by any user,
> anybody else on the machine can read it, which is terrible in shared
> server environments.
>
> John Nagle

So what's the correct solution?

On 28 Mar 2007 13:19:00 -0700, strawberry wrote:
> On Mar 28, 9:00 pm, John Nagle <n...@animats.com> wrote:
>> strawberry wrote:
>> > On Mar 28, 4:23 pm, "Sean" <sean.anderson@[nospam]oakleafgroup.biz>
>> > wrote:
>>
>> >>"Nosferatum" <John.Ola...@gmail.com> wrote in message
>>
>> >>news:1175027060.627223.175550@n59g2000hsh.google groups.com...
>>
>> >>>Ok, I am a newbie. But now I have tried everything. My quest is to put
>> >>>the MySQL host name, user name, password, databasename and table-name
>> >>>in a separate file outside our web domain and call these variables via
>> >>>include (into my PHP-file).
>> > I know nothing whatsoever about security
>>
>> Um.
>>
>> > but I would have thought that
>>
>> > just putting the includes in a folder just outside the htdocs path
>> > would be safe enough.
>>
>> The problem is that the web server, usually Apache, runs CGI programs
>> as user "nobody". It can't read your non-public files. If you
>> make the password file readable by any user,
>> anybody else on the machine can read it, which is terrible in shared
>> server environments.
>>
>> John Nagle
>
> So what's the correct solution?

Secure the web machine as well as possible, secure the databsae as well as
possible on a different machine, and make sure the functional ID (that
the CGI uses to connect to the database has only the access to the
database that is actually needed to accomplish the task at hand. In some
cases, that might be fun things things like the ID having only INSERT
access to some tables, and SELECT from others. Have other IDs used for
maintaining the database. That's the real bit: Your webserver should be
trusted no more than you can possibly managed.

--
14. The hero is not entitled to a last kiss, a last cigarette, or any other
form of last request.
--Peter Anspach's list of things to do as an Evil Overlord