[prog] PHP script security

Wed Aug 13 13:14:47 EST 2003

Hi there,
I'm teaching myself some PHP for MySQL website integration and have a
security question before I upload the pages.  I'm just executing a
relatively simple query and returning the results as a html table.

I've set up a restricted MySQL user for the script to invoke which has
SELECT priviledges only for the database.  One question is, I've put the
username and password for that restricted account in the script.  Is
this how it's commonly done?  Is this an okay way to do this?

Here's the PHP code from a page which displays the results of a race
series where the data from the races is stored in the database.  The
data gets sorted by age division, selecting all in a particular
division, then sorted by total points earned in descending order.  The
resulting page is the current standings in the race series.
-----------------------------------
<?php
$user = "webuser"; /* This is a user set to read only */
$pass = "please";
$db = "childs2003";
$link = mysql_pconnect( "localhost", $user, $pass );
if ( ! $link )
	die( "Couldn't connect to MySQL." );
mysql_select_db( $db, $link )
	or die( "Couldn't open $db: ".mysql_error() );
/* Find name and totalpoints from master ordered by totalpoints
   return this as the variable $result */
$result = mysql_query( "SELECT firstname, lastname, age, totalpoints
FROM master WHERE division='M6+Und' ORDER BY totalpoints DESC" );
$num_rows = mysql_num_rows( $result );
print "<table border=1>\n";
/* This prints the headers for the columns */
print "<tr><th>First Name</th><th>Last Name</th><th>Age</th><th>Total
Points</th></tr>";
/* This fetches each row of the resultset in turn and prints a tr tag 
   for each row */
while ( $a_row = mysql_fetch_row( $result ) )
	{
	print "<tr>\n";
	foreach ( $a_row as $field )
		print "\t<td>$field</td>\n";
	print "</tr>\n";
	}
print "</table>\n";
mysql_close( $link );
?>
--------------------------------------

It's pretty basic stuff, I think, but enables me to avoid building 9
static pages with 150 rows each once a week.  Eventually I'll have a
form for visitors to select the division to display, instead of pages
with a static query, but I'm having problems with forms on my test
server.  I'll tackle that in another mail, another time!

TIA!  I realize I'm very new at this, and any helpful comments are
welcome.  I just can't get over how much work even this simple script
will save me.

regards,
Beth
-- 
  /\/\    Beth Johnson
 / o o\   Cosmic Wonderer
( / ^^\)  Springfield, MA USA
 \ M_M/   "Ruling a country is like cooking a small fish--
           you have to handle it with care."--Lao Tzu