Recently, I've been working on a blog system for my website, <a href='http://www.64digits.com/octopus'>Octopus's Garden</a>. The system uses MySql for comments, users, and blogs, unlike the current site's system, which reads information from text files. I've read a little bit about the security issues of MySql, but I'm still not sure exactly how to fix them. Here are some of my questions:
<b>I.</b> How does one deal safely with the password used to connect to MySql. Is the following insecure within a PHP file?
$db_host = 'host';
$db_user = 'username';
$db_password = 'password';
$db_name = 'database';
-Would it be possible for a hacker to access the raw PHP source? If so, where would the password be stored.
-Is it possible for the transfer between this PHP script and MySql to be intercepted? If so, is the password automatically encrypted, or should I encrypt it somehow?
<b>II.</b> How does one screen user inputs so that they do not interfere with the MySql structure. Is there an equivalent of strip_tags() or must one use some sort of index system to replace possibly dangerous user data?
[Answered, thanks to melee-master:
<b>III.</b>How does one deal with user passwords:
-Are the passwords sent in an encrypted form when they are sent using < input type='password'>?
-How does one encrypt user passwords to be placed in the MySql Database? I'd probably be able to figure this out, but if someone wants to tell me...
<b>IV.</b> I'm using cookies to store a person's login status. How should this be made secure? By inserting an encrypted password and checking it on each page?
If you have any other insight about Securing such a system, please give it. Thanks.