I am creating a database connection class, that will access the variables or constants defined in the config.php. However, if I am going to create a theme and a plugin engine, how would I only allow the MySQLi connection class to access the config without allowing plugins/themes accessing the information breaching the security of the website & users.
Previously, I just defined host, username, password, and database as constants in the config, then included the config inside a file that included all of the core website files, such as the core functions file, database connection, etc – I believe this is how popular CMS’s such as WordPress, etc, does it? If not please correct me.
If I include the config inside the database class, but then include the database class inside the website, the config can be accessed by custom code inside the themes and plugins – which MUST NOT happen.
How would I go about doing this? I cannot think of any other way.
Thanks,
Kieron
You don’t. Instead you should give your MySQLi wrapper class all the settings it needs. ie:
As for internal security. PHP code has no sandboxing, any script can do an
fopen
on any file and read it’s contents. Think about how you want to approach security.