6

I'm an iPhone developer, and I've just started out with PHP & mysql (making websites for others, and web services for my apps).

Whenever I hardcoded my username and password into a PHP file to connect to the database I felt a bit odd. Example:

$con = mysql_connect('localhost:8888','root','password');

I find this slightly awkward if I ever have to show code to anybody.

  • Is this secure or good practice?
  • Is there another way I should be connecting to the database?

I would be very grateful for any advice related to this issue.

Alex Coplan
  • 13,211
  • 19
  • 77
  • 138
  • possible duplicate of [How to safely store a password inside PHP code?](http://stackoverflow.com/questions/1432545/how-to-safely-store-a-password-inside-php-code) – Pekka Aug 20 '11 at 21:59
  • then another one: [How to secure database passwords in PHP?](http://stackoverflow.com/q/97984) ... the bottom line is that you're on the right track with your suspicion - it's best to store the data in a separate include file, ideally outside the web root. – Pekka Aug 20 '11 at 22:01
  • See [How do I make my database connection secure](http://stackoverflow.com/questions/2345773/how-do-i-make-my-database-connection-secure) – lunohodov Aug 20 '11 at 22:07

2 Answers2

7

For scripts that are going to be redistributed it would be better to group these together and either have them as constants or variables.

config.php

<?PHP
define('DBHOST', 'localhost');
define('DBPORT', '8080');
define('DBNAME', 'my_db_name');
define('DBUSER', 'root');
define('DBPASS', 'password');

db.php

<PHP
include('config.php');
$con = mysql_connect(DBHOST.':'. DBPORT,DBUSER,DBPASS);
mysql_select_db(DBNAME, $con);

Doing this will make it easier for someone to make changes in the future instead of having to trawl through code to find where any connections are made etc.

For slightly better security the config.php script could be placed outside of the doc root so that it cannot be called directly.

Peter
  • 773
  • 1
  • 7
  • 23
  • would putting it into a folder which is set to disallow in robots.txt be advisable? – Alex Coplan Aug 20 '11 at 22:12
  • @Alex Coplan: disallow in robots.txt? that file should be completely out of web access reach! – Daniel Aug 20 '11 at 22:14
  • @Dani so where would you store it? - sorry I am very new to web development – Alex Coplan Aug 20 '11 at 22:16
  • 1
    do not disallow this in robots.txt. Anyone can read the content of robots.txt. If you disallow it in this file you are pretty much confirming the existence of the file. What I meant was that say you have a www folder contained within another folder called root. If your web site is located in www. The config should be placed in root. The reason being is that root is not accessible on the internet. There are still ways to get the content but this is not as easy. – Peter Aug 20 '11 at 22:17
  • 1
    `robots.txt` is just guidance for "good crowlers". "bad crowlers" will just ignore it's guidance and enjoy the information disclosure. – Hugo Mota Aug 20 '11 at 22:21
2

I never hardcode the login information into the PHP code. I always put it in a separate file that gets included into the actual PHP code file. That way you never need to show the login data to anyone. And makes it slightly harder to get at the file if someone is trying to spoof the web server.

Flyingdiver
  • 2,142
  • 13
  • 18