My question is if you'll be able to allow DB connections ONLY from the certain domain. I guess this may be made by checking the referral URL, however i was curious if there's an simpler way.
The main reason I'm asking the reason being I'd a concept of somebody at random trying to find the config.php file on my small server and, when they discovered, would simply have the ability to include it and run mysql queries when needed. This really is certainly something I wouldn't want.
Is it more beneficial to simply hide the config file within an unusual place?
Thanks ahead of time, Phil
If they're within the system and may call at your files, the likelihood of you doing much to safeguard your DB are pretty slim. For obstructing other Insolvency practitioners hooking up, you are able to particularly allow hosts to some DB.
To begin with, your config.php shouldn't be openly accessible on the internet. Your Internet Server should have the ability to range from the file, if needed, however the file itself will not be offered up inside your web server. Using the correct configuration, you should not need to bother about someone "finding" your config.php using a browser.
Also, around the database side, you need to setup your database to ensure that it only accepts connections out of your web server(s). It shouldn't be openly available to anybody on the web.
If a person has already been in your web server that should not be there, you most likely have bigger issues. This can be inevitable in certain hosting that is shared situations, but when this is a concern, obtain a private server or perhaps a host company which will properly setup permissions for you personally.
I guess this may be made by checking the referral URL, however i was curious if there's an simpler way.
No. Referer is definitely an HTTP concept, it's no meaning once you're able to the database level.
The main reason I'm asking the reason being I'd a concept of somebody at random trying to find the config.php file on my small server
The config file shouldn't be directly accessible over HTTP, and even when it had been, it ought to be performed prior to being offered. Therefore it should not be possible to get at the database qualifications remotely.
If you're worried about others on a single hosting that is shared, your file system permissions should prevent access.
I'd control access with my user table. For ex: MYSQL 5.5 includes a mysql.user table with username, password, hostname, and rights. Should you set 'hostname' of every user towards the specific domain,
'update mysql.user set hostname = 'somedomain.com' where user = 'root' and hostname = '127.0.0.1';, the main user would only have the ability to login from that domain (unless of course there have been multiple records for that root user within the user table, which you will find.) Obviously, if you work with just one take into account your database access across the application / website, this can not work.