I'm currently working on a website for my church's college group, and am started to get a little worried about the security of what I'm writing. For instance, I use this function:
function dbConnect()
{
global $dbcon;
$dbInfo['server'] = "localhost";
$dbInfo['database'] = "users";
$dbInfo['username'] = "root";
$dbInfo['password'] = "password";
$con = "mysql:host=" . $dbInfo['server'] . "; dbname=" . $dbInfo['database'];
$dbcon = new PDO($con, $dbInfo['username'], $dbInfo['password']);
$dbcon->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$error = $dbcon->errorInfo();
if($error[0] != "")
{
print "<p>DATABASE CONNECTION ERROR:</p>";
print_r($error);
}
}
to connect to the database whenever I do a query of some sort. I always use the PDO prepared statements to prevent SQL injection from any user input, and I use htmlspecialchars to escape before outputting. My question is this: How do I protect my username and password for my database? I don't know if someone can view the source for my PHP files, but if they could, I can only imagine I would be hosed. What do I do?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…