PHP Object Constructor database connection

Question

I am really just starting in OOP using MySQLi and I came up with this problem.

This is my code:

Class Database{


public $mysqli;
public function __construct($db_host, $db_user, $db_password, $db_name){

    $this->con = new mysqli($db_host, $db_user, $db_password, $db_name);
   }
}

the code above is working. but when I need to instantiate this class, I need to declare my hostname, username and database name in my main page which is not secure and very vulnerable ( I guess ).

     $db = new Database("HostOfDatabase", "DBRoot", "", "databaseOfMine");

I just want to ask if what is the right way of putting the database connection in the Class Constructor. I didn't understand well the other solutions I found in this forum though. I hope someone could enlighten me a bit. Cheers!

Load that information from a config file that's outside of the web directories — Mark Baker, Aug 13 '13 at 17:50
Some techniques are described here: http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php — brianmearns, Aug 13 '13 at 17:51

score 1 · Accepted Answer · answered Aug 13 '13 at 18:01

I'll try to elaborate on the other solutions you likely found on the forum, since you said you didn't really understand them.

Remember that (assuming your webserver is properly configured), your PHP source code is not accessible externally (i.e., not accessible to your visitors). So there isn't actually anything intrinsically wrong with storing your credentials in your source code. The main problem is if you're sharing the source code with anyone else, for instance on Bitbucket or Github. Additionally, anyone with file access to your server (e.g., someone who can sit down at the computer, or who can get a remote shell into it) will be able to read these.

The standard approach is to just setup a config file which is not part of the codebase (i.e., it is not put under version control and not shared without anyone else who may be using or developing the code). So it would look something like this:

<?php

$db_host = "localhost";
$db_username = "blahblahblah";
$db_password = "whatever";
$db_name = "dbname";

?>

And so on for any other configuration values you need. You could store this in, say, config.php and for added security, place it outside of your webserver's document root. That way there's no way it can be accessed from the web. You also want to make sure it is only readable by the user account which will be executing your script, often web or www or apache.

Now when you need the config values, you can just include("config.php") and access the variables directly. For instance, it might look something like this:

<?php
class Database{

    public function __construct(){
        require("config.php");
        $this->con = new mysqli($db_host, $db_user, $db_password, $db_name);
   }
}
?>

Notice I require'd the config file inside the function: this is just a little added security to ensure that the variables in the config file only have function-local scope and are no longer accessible once the function returns.

score 0 · Answer 2 · answered Aug 13 '13 at 17:54

It's ok to create the connection using the constructor, but you may look into the Singleton pattern to avoid creating several connections.

About the values, you should store them into a config.php file in a separate directory, using constants or just an array of config parameters. So, you'll include the class file, the config file and instantiate the DB class using the config params.

PHP Object Constructor database connection

2 Answers2