1

I am connecting to SQL through PHP for IIS.

<?php
$connectionInfo = array("Database"=>"saz09", "UID"=>"sa", "PWD"=>"Cambiar", "CharacterSet"=>"UTF-8"); 
?>

Everything is working correctly but since anyone can access the files, I want something like the following:

<?php
$connectionInfo = array("Database"=>"saz09", "UID"=>"sa", "PWD"=>"81dc9bdb52d04dc20036dbd8313ed055", "CharacterSet"=>"UTF-8"); 
?>

Any suggestions for do this or is there another way not to expose the password?

Tefitaz
  • 11
  • 4
  • 2
    Maybe store the password in a file in a secure location on your server, then read the content with the PHP code when you need to connect the database? – GMB Sep 17 '19 at 21:52

1 Answers1

3

One solution is using environment variables to your application. You'd store your credentials in environment variables of your system and then in your application you read the value of the environment variables to make your database connection (you can also use some kind of encryption). So, basically, you set up the following variables as environment variables:

  1. DB_USER
  2. DB_PASS
  3. Others

Then in your code you use getenv(VAR_NAME) to make the database connection. So, in your case, would be something like this:

$connectionInfo = array("Database"=>"saz09", "UID"=>getenv("DB_USER"), "PWD"=> getenv("DB_PASS", "CharacterSet"=>"UTF-8");

You should also verify if the value of both variables exists before set their value to the datbase connection.

Positive points:

  • There's no hard code credentials in your code (if people has access to your code, they wont have the credentials) which makes more secure;
  • It's configurable for every environment, in case others people share the same project, you guys configure your own database connection (no risk to use accidentally production connection);

Negative points:

  • If someone has access to the server you're hosting your application, they can have access to your env vars.

Edit: As @Chris mentioned, this is not a negative point, since if someone has access to your server, it means your application is in trouble no matter how we store the credentials. Thank you for the clarification, @Chris.

You can also add more security by adding encryption to the string and in your code you decrypt the credentials string.

I'm not sure which OS you use, so here's a short guide to configure environment variables in both most famous OS:

There's a lot of other ways to do an approach similar to this, if you want to get familiarized to them, take a read in the link:

gustavo.lei
  • 141
  • 1
  • 7
  • 1
    "If someone has access to the server you're hosting your application"—this isn't an weakness of environment variables. If somebody has access (presumably root, or at least as the user running the application) to your server there's very little you can do. – ChrisGPT was on strike Sep 18 '19 at 00:42
  • Mmmmm... I didn’t know that, to be honest. In case someone has access to the server, they’d have access to the environment variables and would be able to see the credentials, no? – gustavo.lei Sep 18 '19 at 01:17
  • 1
    My point is that if somebody has access to the server you're in trouble, no matter how you store this information. Environment variables are no worse than anything else. – ChrisGPT was on strike Sep 18 '19 at 01:37
  • That makes sense. Thank you for the clarification, I’ll update the answer soon as possible! – gustavo.lei Sep 18 '19 at 01:41