0

I am using many PHP scripts and I have database information inside each file, including database name and password.

I want to secure this piece of information, to make sure no one can gain access.

The information could be stored in a separate file which would then be read by the PHP script when needed.

My question is - where do I store it, how, and how do I prevent unauthorized access to that file? I'm also open to other suggestions, anything which will secure the password in the best possible way.

Dan Horvat
  • 800
  • 3
  • 14
  • 27

2 Answers2

2

There may be an even better solution, but I store mine as part of the apache environment startup (only readable by root on the server). You could do the same, or some analog if you're using a different server technology.

#site.example.com
Include includes/credentials/site.conf

#includes/credentials/site.conf
<Directory /srv/www/html>
    SetEnv DB_HOST "server"
    SetEnv DB_USER "user"
    SetEnv DB_PASS "passwd"
</Directory>

This also allows you to control "credentials" per-directory, if that helps you.

In php, you can connect with something like:

$pdo = new PDO("mysql:host=$_SERVER[DB_HOST]", $_SERVER['DB_USER'],
    $_SERVER['DB_PASS']);

EDIT: This also gives you the flexibility to alter credentials when you want to connect to something else like your own mysql instance. You can use a .htaccess to override, or change the environment if you have control over that (probably preferred).

Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
0

Having DB Info in your business files is really dangerous from maintenance point of view. Think of the amount of work you would have to do, if you move your website to a new server.

I would suggest use the Data Access Object Pattern

Now in whatever folder you have this DAO class, put a simple index.html which displays a blank page when accessed. Joomla uses this method based on the provided rationale.

Community
  • 1
  • 1
Srihari
  • 766
  • 1
  • 6
  • 22