1

I have seen many recent php script open-source applications ( forums, cms, etc) for which the database info is stored in a separate php file but (unfortunately) inside the webroot. Now I am about to make a choice as to what script to go for, and therefore need to know how this neglect wold affect the security of my db? In fact I don't know how much, and what way, we could improve the security of our d by just moving the dbconfig.php to a separate directory?

I have already looked at this thread too:How to secure database passwords in PHP?

Okay, just now I found this thread mysql/php is this a secure way to connect to mysql DBand would like to make my question even more clear: which one of these places is more secure to keep my dbconfig.php and why?

 1./dbconfig.php 
 2./public_html/dbconfig.php
 3./public_html/includes/dbconfig.php

suppose that the file index file is located here (I guess is referred aswebroot):

/public_html/index.php ( which first needs to include the dbconfig.php)
Community
  • 1
  • 1
C graphics
  • 7,308
  • 19
  • 83
  • 134
  • 1
    Its safer because if there was a mishap and for some reason your files were not processed by php, a hacker could follow the path of your includes and find your config file, if its outside of the root then the only way to get to it would be to have deeper access, like a rooted server (presuming you dont allow arbitrary php uploaded to your server by your users). – Lawrence Cherone Aug 25 '12 at 23:39
  • Thanks for your response, meanwhile I added some more to my question and was wondering if you can respond to that too please. – C graphics Aug 25 '12 at 23:44
  • 1
    Well only `#1` is outside of the root. – Lawrence Cherone Aug 25 '12 at 23:47
  • In #3, will password protecting the directory "includes" (using .htaccess) make dbconfig.php more secure compare to #2? – C graphics Aug 27 '12 at 02:55

1 Answers1

0

In fact I don't know how much, and what way, we could improve the security of our d by just moving the dbconfig.php to a separate directory?

You have two basic tools to improve security. Simplifying things a little bit . . .

  1. Location. Moving it outside the web root makes it harder for others to get to. If they're coming into your server over http, they're not likely to be able to access anything below the web root. (But if they have shell access to your account, you've lost the battle. Secure shell and good passwords are your friends.)
  2. Permissions. That file should have the tightest permissions possible. In my case, it's not readable by anyone but the owner. (chmod 600, for example.)
Mike Sherrill 'Cat Recall'
  • 91,602
  • 17
  • 122
  • 185