I’ve been studying php and sql and have learned how to make a database; a table of hypothetical users in the database; add (user) entries to the table; hash the passwords; edit entries …
I’ve got a working log-in php script which matches hashed passwords
in the database hashed versions of passwords entered by “users” (actually me while doing testing).
So far, so good, not that this hasn’t taken a long time working through a book and various web sources.
But the way this is set up currently, this requires the user to know the hostname etc details enabling a connection to the database in mysql.
In order for a real user to log in; his/her credentials have to be compared to what is in the database. I don’t want the users knowing how to connect to the sql database themselves; nor do I want the hostname etc needed to connect to it permanently part of any php file. I assume that would be too vulnerable to hacking. So how does one set this up so a user
can log-in without their having the info needed to connect to the database?
Does one in fact go ahead put the database connection variables in a php script which the user can run?? Seems risky. How ELSE can a casual (non-admin) user cause his/her password to get compared to what is stored in the database in mysql?