I have the following simple php script in a .php file.

My question is this: How can I be sure that no one can get at the pwd of my database? Is there any chance they could somehow download the file? The folder the php file in question resides in does have an index.html file.



<?php // Connect to the database server
$dbcnx = @mysql_connect("server", "user", "pwd");
if (!$dbcnx) {
echo( "<p>Unable to connect to the " .
"database server at this time. </p>" . mysql_error() );
exit(); }
// Select the quotes database
if (! @mysql_select_db("database") ) {
echo( "<p>Unable to locate the quote " .
"database at this time.</p>" );
exit(); }?>
<blockquote>
<?php // Request a random quote
$result = @mysql_query("SELECT Quote, QuoteAuthor FROM Quotes ORDER BY rand() LIMIT 0,1 ");
if (!$result) {
echo("<p>Error performing query: " . mysql_error() . "</p>");
exit(); }
// Display the text of the quote

echo("<table border='0'>");
while ( $row = mysql_fetch_array($result) ) {
echo("<tr><td width=80%>" . $row["Quote"] . "</td><td valign=bottom width=20%>-- " .
$row["QuoteAuthor"] . "</td></tr><tr><td colspan=2><br><br></td></tr>"); }

echo("</table>");
?>

1) Put the code that has the "private stuff" in a seperate php file. Use an include with the path (in the original php script).

2) Then put that file above htdocs - so no one on the internet can get to it.

3) Then chmod it to 600 - so no one on the Powweb server with you can read it.

That is as secure as you are going to get.