3

I have looked around on this problem, but have not found a solution. What I have found is to either use an ini file (which most replies follow to say anyone can easily grab and read these files), and to store them in another database (obviously, would not be any more safer than now, because other database credentials would be exposed - leaving access to original database). Pretty much all I found was either unanswered or answered with the above two, supposedly unsafe, options.

How can I keep my database access credentials safely outside of public eye? I currently have them directly placed in the PHP using variables. I am using GoDaddy as my host, and PHPMyAdmin for database usage.

Tim Leitzke
  • 51
  • 6
  • 3
    file outside web root is the option used 99.9% of the time –  May 30 '17 at 01:13
  • 1
    Possible duplicate of [Secure storage of database connection credentials](https://stackoverflow.com/questions/7220590/secure-storage-of-database-connection-credentials) – David Findlay May 30 '17 at 01:31
  • your application needs the creds to work, so you either store them in somewhere the application can access (filesystem, separate db) or provide them with the request. the latter has its own issues, so filesytem outside webroot is the usual practice. – Steve May 30 '17 at 01:37
  • With the file being outside the web root, is it still easily accessible since the web page has to call for it? – Tim Leitzke May 30 '17 at 01:56
  • Script may call for it, but the client cannot do it directly. If your (hosting) filesystem is compromised there's nothing you could do. You still need to be careful when user supplied data is used to include some file - see: [File inclusion vulnerability](https://en.wikipedia.org/wiki/File_inclusion_vulnerability) – shudder May 30 '17 at 05:50
  • I am using includes to keep my headers and footers all the same (locally hosted), does that make my website vulnerable then? My website will be hosting loads of information on database, so I want it to be secure, however this is only month 2 of me for PHP. (I did get the ini to work, I like the solution). – Tim Leitzke May 30 '17 at 18:10

1 Answers1

1

Best answer so far, having an 'ini' file outside of public access (same folder as httpdocs for me) that holds login information. Then in PHP, access the file and parse it using:

"parse_ini_file(FILELOCATION)"

Here it is, in example of my usage:

access.ini (in same folder as httpdocs)

[database] 
dbhost = xx.xx.xxx.xxx:xxxx
username = xxxxxxxxxxx
password = xxxxxxxxxxxxxxxx
dbname = xxxxxxxxxxxxxx

page.php (in folder httpdocs)

$DatabaseAccess = parse_ini_file('../access.ini');
dbhost = $DatabaseAccess['dbhost'];
username = $DatabaseAccess['username'];
password = $DatabaseAccess['password'];
dbname = $DatabaseAccess['dbname'];

It so far continues to work, and feels secure enough. Also makes it far easier than remembering to delete/replace database credentials when getting help on any bit of code.

Tim Leitzke
  • 51
  • 6