The TRUTH about PHP/mySQL security Part II

..continued from The TRUTH about PHP/mySQL security Part I

So here we are on “The TRUTH about PHP/mySQL security Part deux”, So after reading lots of websites/blogs and reviewing nearly 100 OS PHP/mySQL scripts I have found that everyone has a similar structure

Main Page
  |- imgs
     |-someimage.jpg
     |-someimage.jpg
  |- inc
     |- dbconnection.php
     |- extra_file.php
     |- extra_file.php
     |- extra_file.php

What we want to look for is the dbconnection.php file. So lets take a look at a simple dbconnection.php file

[php]< ? include "../config.php"; function db_connect() { $result = @mysql_pconnect($server, $db_user, $db_pass) or die ("Database CONNECT Error (db_fns line 7)"); if (!$result) return false; if (!@mysql_select_db($database)) return false; return $result; } ?>
[/php]

But now we see there is an include config.php, lets take a look into that file

[php]< ? $domain = "www.yourdomain.com"; // Your domain name (include www. if used BUT NOT http://) $server = "localhost"; // Your MySQL server address (usually 'localhost') $db_user = "username"; // Your MySQL database username $db_pass = "password"; // Your MySQL database password $database = "database"; // Your MySQL database name $currency = "UK Pounds"; // The currency that your affiliates will be paid in $emailinfo = "test@email.com"; // Your email address $yoursitename = "Your Site Name"; // Your sites name ?>
[/php]

Is all this information sensitive? Of course it is! imagine some one getting a hold of your $db_user or $db_pass variable, they could easily create scripts that will log into your DB and either edit the information or destroy it. But I’m not going to go into detail about that, what I am after is to learn how secure it is to leave your php scripts out in the open and from what I have learned so far it is pretty safe do that, but I want to continue to search for what other kind of security is offered by PHP.

…to be continued