Prevent third-party connections to SQL database (from config.php file)

My question is whether or not it is possible to allow DB connections ONLY from a certain domain. I suppose this could be done by checking the referral URL, but I was curious if there is an easier way.

The reason I am asking this is because I had a thought of someone randomly searching for the config.php f开发者_StackOverflow社区ile on my server and, if they found out, would simply be able to include it and run mysql queries at will. This is definitely something I would not want.

Is it better to just hide the config file in an unusual place?

Thanks in advance, Phil

First of all, your config.php should not be publicly accessible from the web. Your Web Server should be able to include the file, when needed, but the file itself should never be served up in your web server. With the correct configuration, you shouldn't have to worry about someone "finding" your config.php via a browser.

Also, on the database side, you should setup your database so that it only accepts connections from your web server(s). It should not be publicly accessible to anyone on the internet.

If someone is already on your web server that shouldn't be there, you probably have bigger issues. This might be unavoidable in some shared hosting scenarios, but if that's a concern, get a private server or a hosting provider that will correctly set up permissions for you.

If they are inside the system and can see your files, the chances of you doing much to protect your DB are pretty slim. As for blocking other IPs connecting, you can specifically allow hosts to a DB.

I suppose this could be done by checking the referral URL, but I was curious if there is an easier way.

No. Referer is an HTTP concept, it has no meaning once you get to the database level.

The reason I am asking this is because I had a thought of someone randomly searching for the config.php file on my server

The config file should not be directly accessible over HTTP, and even if it was, it should be executed before being served. So it shouldn't be possible to get to the database credentials remotely.

If you are concerned about other people on the same shared hosting, then your file system permissions should prevent access.

I would control access with my user table. For ex: MYSQL 5.5 has a mysql.user table with username, password, hostname, and privileges. If you were to set 'hostname' of each user to the specific domain, ie. 'update mysql.user set hostname = 'somedomain.com' where user = 'root' and hostname = '127.0.0.1';, the root user would only be able to login from that domain (unless there were multiple entries for the root user in the user table, which there are.) Of course, if you are using only one account for your database access across your application / website, this will not work.