5

I am working on a school-project (writing a website) and I ran into the problem of providing the password for the connection to our database. Because of our Open-Source license we have to publish the sourcecode but that would mean that everyone could connect to the database and see tha data.

Currently our connection (a php file) looks like this:

$host="************";
$password="************";
$this->conn = new mysqli($host, $user, $password, $dbname).mysqli_connect_error());

Now my question is: how can i provide the password to connect to the database without needing to write $password=... ?

Solomon Ucko
  • 5,724
  • 3
  • 24
  • 45
Kopse
  • 73
  • 1
  • 4
  • `$password = 'ENTER YOUR PASSWORD HERE";` readme.txt: `"Enter your database credentials in the dbconfig.php file"` This is a really weird question – Steve Feb 02 '16 at 15:04
  • 2
    You cannot. but in mysql you can restrict the hosts from where the connection is valid. You allow only trusted connections. Another option is you remove the actual connection details before publishing the code. – bansi Feb 02 '16 at 15:04
  • 3
    Write the password to a flat file (e.g. xyz.ini) and read it in. Hand-out the code with an empty or dummy password, the user of the software has to change anyway. You also could import the other parameters (host, username, database name) like this. – hherger Feb 02 '16 at 15:05
  • @hherger you should post that as an answer – Mariano D'Ascanio Feb 02 '16 at 15:06
  • 2
    Environment variables, `include`ing or otherwise reading a config file on disk, implicit configuration in php.ini or such... many many options. – deceze Feb 02 '16 at 15:14
  • 1
    Setup a database proxy on the localhost where this should be configured first. Your application could connect password-less to the proxy. Or: Use a generated hardware ID as a password, set this up once. Or: as everyone is commenting: dont bother as long as it is NOT in your versioning system – Ronald Swets Feb 02 '16 at 15:27

2 Answers2

5

Ok, here's the one with the ini file:

xxx.php

<?php

    $db_params = parse_ini_file( dirname(__FILE__).'/db_params.ini', false );

    // .....

    $this->conn = new mysqli($db_params['host'], $db_params['user'], $db_params['password'], $db_params['dbname'], $db_params['port'], $db_params['socket']).mysqli_connect_error());

    // ...

?>

db_params.ini

host=mysql.example.com
port=3306
socket=
user=testuser
password=myPasswort
dbname=myDatabase
hherger
  • 1,660
  • 1
  • 10
  • 13
  • also make sure you do `echo db_params.ini > .gitignore` ;) (or the equivalent for your VCS) – ʰᵈˑ Feb 02 '16 at 15:21
  • Right @hd. Also, if you deliver the software together with a setup script, it would be a good idea to init the _db\_params.ini_ file there. – hherger Feb 02 '16 at 15:23
1

Use a single file to contain your configuration variables and exclude this file when sharing your code.

For example:

require_once('config.php');
$this->conn = new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['dbname']);

The config.php file would include:

$config['db']['username'] = 'user';
$config['db']['password'] = 'pass';
...

You could/should expand this to include the host, port, database name etc.

Egg
  • 1,782
  • 1
  • 12
  • 28