Hello everyone, I was attacked and I don’t know of course how, but I decided to redo the site and I want to know if the .htaccess file .htaccess more reliable in comparison to the usual php file

Then, in php logic, you opened the connection and then you had to close it with mysql_close .

In .htaccess what should I do so that after downloading the file at the end to close the connection? or does it do automatically?

I registered in the file

 php_value mysql.default_user ЛОГИН php_value mysql.default_password ПАРОЛЬ

and it works, but I don’t know this: .htaccess , can it be attacked with ease or is it impossible?

  • You can store passwords in htaccess not in clear text, but as a hash. Then it is safer. - Walter Nuss
  • one
    @Sharbag, how to use a hashed password? - etki
  • In .htaccess you add: AuthUserFile /password/path/.htpasswd. And in .htpasswd lines like: loginname: $ apr1 $ tme6Ndj8 $ yvuzPW / 16laNgzFffNOwV. The generator for this file is here: aspirine.org/htpasswd_en.html - Walter Nuss
  • @Sharbag, I mean that if the password is already hashed, then how to feed it to mysql? - etki
  • one
    @Sharbag, the whole point of a cryptographic hash is that it is irreversible (one of the requirements for this type of hash). A programming language is not suitable here. If the password is changed in a reversible manner, then this does not increase security, but confusion. PS I recommend reading about password hashing there: habrahabr.ru/post/210760 - MrClon

3 answers 3

Keep your password outside the root of your site. .htaccess not designed to store the password to the database.

If the attacker has access to the server files, he will look at the password in both the php file and .htaccess, so you need to search for the hacking site first, and, of course, to see that there is no shell left on the server.

    Better php, .htaccess just does not work everywhere. In general, some nonsense is obtained.

    Not there you are looking for a problem, if the site is broken then you almost certainly did not get access to the database, but through errors in the scripts.

    PS The lines from htaccess given by you set the login and password used by the mysql module by default. They simply allow you not to set a login and password when connecting to the database (the mysql module in this case apparently uses the default value). Otherwise, the process of working with the database looks exactly the same.

    The mysql PPS module you use is deprecated and unsafe. In one of the following versions of php it will be deleted. It is recommended to use mysqli or pdo-mysql instead.