MySQLi connection with variables in config.php

I am creating a database connection class, that will access the variables or constants defined in the config.php. However, if I am going to create a theme and a plugin engine, how would I only allow the MySQLi connection class to access the config without allowing plugins/themes accessing the information breaching the security of the website & users.

Previously, I just defined host, username, password, and database as constants in the config, then included the config inside a file that included all of the core website files, such as the core functions file, database connection, etc – I believe this is how popular CMS’s such as WordPress, etc, does it? If not please correct me.

Read More

If I include the config inside the database class, but then include the database class inside the website, the config can be accessed by custom code inside the themes and plugins – which MUST NOT happen.

How would I go about doing this? I cannot think of any other way.

Thanks,
Kieron

Related posts

1 comment

  1. how would I only allow the MySQLi connection class to access the config

    You don’t. Instead you should give your MySQLi wrapper class all the settings it needs. ie:

    class MySQLiWrapper {
        public function __construct($server, $username, $password, $database) {..}
    }
    

    As for internal security. PHP code has no sandboxing, any script can do an fopen on any file and read it’s contents. Think about how you want to approach security.

Comments are closed.