2

I know that the question "how to correctly store Database credentials?" has been asked a lot, but in a discussion with a coworker that question resurfaced and we couldn't determine what was the correct answer:

Ini File:

  • Storing credentials in a .ini file looks elegant, but that kind of file can be viewed in a browser.

Php file:

  • In-script storage looks a little hardcoded but a hacker has to get into the server in order to peek at the file.

So what would be the best approach?

P.S.: Any other storage options are accepted

Thanks in advance

mtrueblood
  • 414
  • 2
  • 11
  • 28
J. Pichardo
  • 3,077
  • 21
  • 37
  • 2
    Actually you can deny the access to certain file types: http://www.ducea.com/2006/07/21/apache-tips-tricks-deny-access-to-certain-file-types/ – Hackerman May 19 '16 at 18:46
  • 2
    `"that kind of files can be viewed in a browser"` - Only if you serve them to the user. Keep the `.ini` files outside the public web directory and don't give them to your users. `"but a hacker has to get into the server"` - That should be true of anything. And once it is true, pretty much all bets are off. – David May 19 '16 at 18:47
  • 2
    if your `.ini` files are placed under public; yeah, that's an issue. However most are placed outside the public area and there is no problem in storing `.ini` files and using them, just as long as they're not "public". – Funk Forty Niner May 19 '16 at 18:47
  • @David GMTA *lol* I was typing mine up at the same time. – Funk Forty Niner May 19 '16 at 18:48
  • 2
    Not storing passwords at all is another option, eg: use OAuth – mister martin May 19 '16 at 18:48
  • Thanks to all, and yes I did read the other question, but as it didn't make a comparison I thought of asking a more concrete questions – J. Pichardo May 19 '16 at 19:03

0 Answers0