security flaw....

I'm not sure how your host is configured, but usually it goes like this :

You've got a folder that's your home.  Say,'/users/me' .. In it is a folder that contains your html and php pages, something like '/users/me/html'...   Everything that's in there is accessible by http and that's where your first-host-site.com name is pointing to.

So, if you create (in my example) a '/users/me/includes' folder, you could store your include files there where they are NOT accessible by the http protocol (they still are accessible by your own scripts, of course). You'd reference them with something like '  include "../includes/db.php"   '

Hope this helps.

Paul, you made a point there, but the problem is that he can establish a connection to his database remotely from another server, most servers only accept connections from localhost, if not else configured.

You could include from a path that is not accessible  by the http protocol, but (as my own host) sometimes you can't put files there, if so it could be a fine solution.

What if you put something like this in your db.php file:

<?php
if($_SERVER['SERVER_NAME']=="yourdomain.com" || $_SERVER['SERVER_NAME']=="www.yourdomain.com") {
      // establish connection here
} else {
      // somekind of error message
}
?>

The above should detect if the script is accesed by your own host or by another.
Anyway, You should ask about this problem with you hosting provider

both solutions are looking gud (will decid after test)...paul! plz clear ur point that my include folder ll not be accessible by http..means i ve to put some permissions on my include folder or it ll just not be accessible by default?? and sentel! in ur script...can this variable be passed through url also?? if yes then it is still not secure...if no then i think its gud...ur second suggession is also good that i must contact with my hosts but i m far away from them n only have mail contact..ny way...i ll test ur script

>>can this variable be passed through url also??<<

No, you don't need to worry about the $_SERVER["SERVER_NAME"], it can't be changed by anyone else, or be bassed through url's.

thanks sentel....ur script is realy usefull but i liked majestic answer the more...thanks again for ur help dear....i ll be pleased to have more suggesions in future from u dear as u r realy a helpful expert

Well, happy you got it working. And sorry I couldn't explain better the very same concept majestig so eloquently described.  

Even though you have code to connect to db from tht include file (http://first-host-site.com/db.php), if i include tht file in my page say http://myserver.com/test.php, i think i wont be able to do select,insert, any other db actions, unless the db/table level permissions are very carelessly set such that to allow any select/insetr/update/delete from any host ip to all table of all databases.

Am i making sense..anybody pls respond to me on this.

you can also set up the hosts that MySQL is allowed to connect to, so you have a list of allowed IP addresses.  This can be done through cPanel if you have it.

is there a way to hide even the include("../includes/db.php")??, like the built-in functions of php, that i don't have to include??, d'you know what I mean??, it seems to be unsecure also to put the location of my database connection script, even when it's outside the webroot.

I appreciate any answers.

<?php @include("../includes/db.php");?>

would stop the echoing of any errors...or you could make your own function.

function db_connect()
{
  @include("../includes/db.php");
}

which could be added to any page..