0

I am developing a simple php application which needs connecting to Database This is part of the code that creates connection to db

private $mysqli;

public function __construct()
{
     $this->mysqli = new \mysqli("localhost", "root", "password", "mydb");
}

My question: how to avoid hard-coded credentials, The client required me to avoid this?

where should I put these setting?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Siavosh
  • 2,314
  • 4
  • 26
  • 50
  • 1
    if thats the case, then create a config file – user1978142 Jun 12 '14 at 11:19
  • If the client does not want hardcoded credentials, how does he want to have them entered? Does he want to edit them? Or have them put in via a web form interactively each time and store them in a cookie at the client's browser? – Alex Monthy Jun 12 '14 at 11:21
  • I would suggest and ini or xml configuration file, if it needs to be edited by hand, or serialized json file if handled programatically – Steve Jun 12 '14 at 11:22
  • 1
    possible duplicate of [How to secure database passwords in PHP?](http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php) – RandomSeed Jun 12 '14 at 12:16

3 Answers3

2

Use config file:

require_once("../path-to-your-config/config.php");

Example usage:

require_once("../path-to-your-config/config.php");

class ABC {

    private $mysqli;

    public function __construct()
    {
         $this->mysqli = new \mysqli(Conf::HOST, Conf::USER, Conf::PASSWORD, Conf::DB);
    }
}
Bartek
  • 1,349
  • 7
  • 13
1

As @user1978142 said, a config file would be best for storing this kind of information. Preferably this config file should be stored outside the server directory (so no one can accidentally get external access). Moreover, you should ensure that access to this file is restricted to select users

user1978142
  • 7,946
  • 3
  • 17
  • 20
danielvdende
  • 690
  • 9
  • 23
0

Create a separate file called credentials.php and put it in a folder which not the root folder or restrict access to the folder and the file inside of it. In this file, assign all the values you want $server, $username, $password etc. and whenever you need them, just use the require_once function so that you can get access to them.

You can also consider using PDO if it's a matter of changing from one database to another.

Always Learning Forever
  • 798
  • 1
  • 8
  • 26
  • 2
    Name the file .credentials.php - most apache servers don't serve files beginning with a dot, which adds a little bit to safety. And make it readable only to the daemon user account under which the server process runs. – Alex Monthy Jun 12 '14 at 11:33
  • @AlexMonthy the question I always ask when hear such a superstition: surely you always follow this advise yourself, aren't you? – Your Common Sense Jun 12 '14 at 11:58
  • @YCS: It depends. On work for clients which I do not supervise afterwards, yes I do. For my own purposes, no. But then I'm only responsible to myself. – Alex Monthy Jun 12 '14 at 12:51
  • How can PDO help with avoiding hardcoding credentials? – CloudWave Aug 25 '20 at 01:48