Secure storage of database connection credentials

Question

Here's how I connect to my database:

create a "access.php" file that has the username and password of the database inside it.
create a "main.php" file in which I include access.php and then create MySQL connection and the rest.

How secure is this way of coding? I'm just a bit scared that if someone could somehow donwload the access.php and get to know my user and pass.

Any suggestions?

score 2 · Answer 1 · answered Aug 28 '11 at 11:20

2

Since your php file is under a web server, it cannot be downloaded as pure file, but will be served always compiled, so the source code cannot be visible to users.

To view your username and password stored in the file, a user should have access to the server's file system. So you can feel comfortable.

answered Aug 28 '11 at 11:20

ʞᴉɯ

5,376
7
52
89

Who post this -1? The answer is correct and consistent with the question! – ʞᴉɯ Aug 28 '11 at 11:28
1

Obviously, someone who lacks knowledge. I wouldn't pay much attention on it. – Your Common Sense Aug 28 '11 at 11:31

score 1 · Accepted Answer · answered Aug 28 '11 at 11:39

I have a .php file called "Connect" which is the database connection file.
Then I have a file I call "config.php" which contain the username, pass etc.

Then once the database connection has been initiated or whatever it is called (sorry I am not English), then you would "unset" the variables which contain the login info, eg:
unset($config['mysql_pass']);

However you shouldn't be scared of people being able to download your access.php file, as it is executed server-side, and the content are not visible to any front-end users.

You could also put your access.php file in a folder just before your public_html folder, this way, it cannot be accessed for outside the server.

Hope it helps :)

score 0 · Answer 3 · edited May 23 '17 at 11:43

0

Possible duplicate question. Check out this older post: How to secure database passwords in PHP?

One additional "trick" is to use somewhat ambiguous names for config files.... don't use something like db_config.php.

edited May 23 '17 at 11:43

Community

1
1

answered Aug 28 '11 at 11:24

SBerg413

14,515
6
62
88

A down vote with no comment???? The link answers the question and my second comment would help is somehow, someone was able to hack into the host's server. Shame on you. – SBerg413 Aug 28 '11 at 11:33
1

i agree with you SBerg on choosing not obvious names. That'll will definitely confuse the snoopy, hence less risk. – Kourosh Aug 28 '11 at 11:35
1

Thank you Kourosh. It's a harmless trick and good practice. Up vote if you agree. – SBerg413 Aug 28 '11 at 11:36

score -1 · Answer 4 · answered Aug 28 '11 at 11:16

-1

I don't think people can't just download the access.php file. When people type the location of the file in browser, php interpreter executes the file, does not just send the file to the user. However if you install some other malicious script it may read the file & do harmful things, like downloading the file

answered Aug 28 '11 at 11:16

Shafiul

2,832
9
37
55

How permissions can affect downloads? – Your Common Sense Aug 28 '11 at 11:17
Yup, i figured that out. Sorry for the unintentional mistake :( – Shafiul Aug 28 '11 at 11:20
if you leave only first sentence of your answer, it would be all right – Your Common Sense Aug 28 '11 at 11:22
I think I fixed it. Now what? – Shafiul Aug 28 '11 at 11:24
what if they give the link like "mysite.com/access.php" to a download manager software? will they be able to download? – Kourosh Aug 28 '11 at 11:33

Secure storage of database connection credentials

4 Answers4

Linked