I have made a website where I only display items from my db tables, I pass variables from one page to the other to display certain items, there is no adding, deleting or editing to my table items in my website is just displaying information.
$aaa = _POST['aaa'];
$databasehost = "localhost";
$databasename = "mydb";
$databaseusername = "user";
$databasepassword = "password";
// Connect to the database server
$dbcnx = @mysql_connect($databasehost, $databaseusername, $databasepassword);
if (!$dbcnx) {
echo( "<font color='red'><P>can't connect to server.</P></font>" );
exit();
}
// Select the database
if (! @mysql_select_db($databasename) ) {
echo( "<font color='red'><P>can't connect to db </P></font>");
exit();
}
$aaa = mysql_real_escape_string($aaa)
// and with $aaa I do my query
I have read that protecting my variables with the mysql_real_escape_string() I stop any injections into my query's but I feel vulnerable with:
$databasehost = "localhost";
$databasename = "mydb";
$databaseusername = "user";
$databasepassword = "password";
Am I just paranoid or is there a way protect this information that connects to y server and data base?