13

Possible Duplicate:
How to secure database passwords in PHP?

Recently I was given a website project which was supposed to be done in PHP but I don't have much experience in PHP. Anyway, it is up and running but there is a big room to improve. The one thing that I am not feeling well is the way I am dealing with database: I put the database connection information in a separate db.php file and include it where needed. But I remember seeing PHP source files returned by the server many a time.

So now my question is: what is a better or the best way / place to put database sensitive data?

By the way, how NOT to let PHP show error messages on web pages when things are gone wrong? A custom error page or settings somewhere in php.ini? Thanks!

Note: I am using PHP in it's old flavor not object-oriented way. But I am open to object-oriented or MVC way if there are better approaches that way to prepare for future projects

Community
  • 1
  • 1
dragon66
  • 2,645
  • 2
  • 21
  • 43
  • Good, important questions! +1 for thinking of security. – David Apr 16 '12 at 14:38
  • 5
    For your by the way, [`display_errors`](http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors) should **ALWAYS** be set to `off` on a production server. This way, PHP will throw an 500 error instead of showing the actual error. – Pierre-Olivier Apr 16 '12 at 14:42
  • I guess display_errors = off in php.ini should prevent any errors from showing –  Apr 16 '12 at 14:42
  • [How to secure database passwords in PHP?](http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php) – Mike B Apr 16 '12 at 14:43

3 Answers3

8

I don't know if this is what you are looking for:
You can put your sensitive data in your db.php, but outside the web root directory (public_html or www).

For example, you could have a directory called config which is a sibling of your web root directory, and store your db.php file there.

You can include your db.php file like this:

require_once('../config/db.php');

I hope this helps.

Omid Kamangar
  • 5,768
  • 9
  • 40
  • 69
  • 2
    +1 for this solution, also don't forget to change rights of this file to the lowest but still readable by the webserver. If the file is owned by the webserver process, perhaps `0600` would be secure enough ?. – Pierre-Olivier Apr 16 '12 at 14:47
1

Its fine to put it in a db.php file, just use require_once() just after the opening <?php tag of each document.

If basedir restriction is not in effect, move db.php file outside of your web/ftp root that way its definitely not accessible via http/ftp. Make sure permissions are set properly on this file though.

Since you aren't using OOP or an MVC structure for your code this is the best route to go.

NDBoost
  • 10,184
  • 6
  • 53
  • 73
1

I would personally create a file called db.php and place this above the public_html folder on your server

for example

<?php
    error_reporting(0);
    $link = FALSE;
    $link = mysql_connect('hostname', 'username', 'password');
    if ( ! $link)
    {
        die("Couldn't connect to mysql server!");
    } else {
        mysql_select_db('databasename');
    }
?>

This turns off error reporting at the same time as connecting to your database, from your index.php you would include the file like so:

<?php require('../db.php'); ?>
Dale
  • 10,384
  • 21
  • 34