Security: where to put PHP and MySQL Files

[grsubs48]

As part of my learning curve I'm attemting to set up a mysql db the long way round by writing the PHP code. For security reasons, in which part of the folder tree should the php file and the mysql file be stored?

Also, I assume my way of running the php file would be by using a link on one of my web pages. However, if I can click those links then so could anyone else visiting my site. What is the orthodox method of protecting this sort of updating? Should I , or indeed is it possible, to create a link to a section which requires a password, thereby resticting access to such sensitive areas?

All help much appreciated.

[descalzo]

Is this on a server other than x10hosting's free servers?

What are you doing in the PHP file? Updates, maintenance, etc? Do you want to be able to run it from the Web, but nobody else? Run it from a cron job?

[grsubs48]

Thanks for your reply.

Is this on a server other than x10hosting's free servers?

This is on the x10hosting's free servers.

What are you doing in the PHP file? Updates, maintenance, etc? Do you want to be able to run it from the Web, but nobody else? Run it from a cron job?

I'm doing everything: creating the db, creating the tables, might attempt a direct import from excel or may initialy format the input lines in excel and copy the code then I would likely just do the additional maintenance in an input form using php.

[misson]

For DB administration, use phpMyAdmin, which is accessible from cPanel.

If you need to perform tasks at a higher level (site admin, webapp), you can password protect folders using cPanel. This uses HTTP Basic authentication, which sends authentication tokens as plaintext. To prevent eavesdropping attacks, use HTTPS (which requires a paid or VPS account, as the free accounts no longer offer a shared SSL certificate) or manually set up digest authentication. Digest authentication still has its weaknesses, but it's not as bad as Basic.

You can handle authentication & authorization at the app level (e.g. using PHP), but unless you know what you're doing or use an auth package written by people who know what they're doing, your scheme will likely be less secure than any of the above.