Databases Reference
In-Depth Information
has permission to read any files that contain sensitive information, such as the database
server password.
PHP scripts are executed by the server before content is sent to a requesting web
browser, so people won't see the password when they load a PHP page. However,
included files are sometimes given names with the .inc extension. The web server only
processes files with the .php extension, and sends other text files untouched to the web
browser. This presents a worrisome security problem if the file contains sensitive in-
formation; if a user correctly types in the URL of a header file, she'll be able to see its
contents.
We recommend that you always use the .php extension for header files. The web server
will provide the output produced by running this script, and since the script doesn't
actually print anything, a user who directly requests the include file will see only a blank
page.
If you choose to use an extension other than .php , you should place the include files
outside the web server document tree, so that the web server does not serve the file to
users; this can lead to difficulties with maintenance because the application files won't
all be located together. Alternatively, you can tell the web server to refuse access to files
with that particular extension. For the Apache web server, you can do this by adding
the following directives to the httpd.conf configuration file and restarting the server:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
Satisfy All
</Files>
Processing and Using User Data
Up to this point, we've shown you how to query and return results from MySQL.
However, all our examples are simple because they don't take user input and use it in
the querying process. Indeed, unless you change the data in the database, the queries
we've shown produce the same results each time. This section shows you the basics of
securely and effectively including user data in the process to customize your query input
and output.
Consider an example of an HTML page. Example 14-4 contains a form that's designed
to capture details about a new artist and album to add to the music database.
Example 14-4. A simple HTML form
<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html401/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 
Previous Page
Next Page
Learning MySQL
Search WWH ::




Custom Search
Home