7

I would like to know if it is secure to save the username, password, server etc. in the php.ini file so when I connect to the MySQL server I don't have to always put the parameters?

Also, can this information (saved in the php.ini) be viewed or retrieve by any kind of methods (like phpinfo() or something like that)?

Dharman
  • 30,962
  • 25
  • 85
  • 135
Tech4Wilco
  • 6,740
  • 5
  • 46
  • 81

6 Answers6

6

As long as you make sure the ini file is outside the DOCUMENT_ROOT and not world-readable, it's no less secure than any other method.

Alex Howansky
  • 50,515
  • 8
  • 78
  • 98
  • +1 for suggesting keeping the file outside of the docroot. This does reduce the attack surface via other common vulnerabilities. – Cheekysoft Oct 25 '11 at 09:15
3

You don't have to put that info in the parameters every time. You can define the connection in a separate file (dbconnection.php) and include that in the files that need a database connection.

Luchian Grigore
  • 253,575
  • 64
  • 457
  • 625
3

It isn't secure, because you can read ini files with php method: parse_ini_file

Guilherme David da Costa
  • 2,318
  • 4
  • 32
  • 46
  • 1
    I think this is an invalid argument. If you want to be able to read the user/pass via PHP in order to make a connection, then *any* method you use to store the user/pass will have to be readable by PHP... – Alex Howansky Oct 24 '11 at 13:38
  • "He asked if that information could be retrieved by any method" But this is *always* true. I.e., by the same logic, saving the user/pass in a string within a private property of the db class is not secure, because I can see it with print_r($db). – Alex Howansky Oct 24 '11 at 14:03
  • "they will never let you mess with their ini file" -- It sounds like you're assuming he wants to put the user/pass in the global php.ini. That's not necessary. You can make your own local ini files to store local settings, and it's no less secure than putting settings in PHP source. – Alex Howansky Oct 24 '11 at 14:05
  • 1
    Yeah ok -- I re-read the question and I think you're right. First time I read it, I thought he meant a local ini file. So, to clarify: putting user/pass in global ini == bad unless it's a private server with no other users, putting user/pass in local ini == no worse than any other method. – Alex Howansky Oct 25 '11 at 14:47
1

I don't think there is security risk involve in saving any configuration in php.ini file since the location of the ini file is outside the "public" directory. No user can access this file.

You can get ini parameter using "ini_get" php function. You can find more information about this parameter from here: http://php.net/manual/en/function.ini-get.php

D3 K
  • 682
  • 1
  • 12
  • 19
0

It would be much more secure, if you had put it in a file without an extension, and then secure that file with .htaccess. Also, .ini file can be read by any browser, so that would be super unsecure.

Gregor Menih
  • 5,036
  • 14
  • 44
  • 66
0

As stated above, the .ini file might not be more or less secure than storing it in a .php file itself. However, one thing to consider is that when using the .ini file, this setting is effectively global to any and all PHP code and websites. Using the .ini file may affect other code that you wish to use a different user for.

Overall, it's probably best security practice to NOT use an .ini file to store the password, simply because it's now open to anybody storing PHP files on your server. Also makes it a bit of a hassle if you suddenly need to give multiple sites or applications for a site different logins (for separate databases). It's not best to use one login for multiple databases, except for the root user which should only be used for administrative purposes.

Jouva Moufette
  • 370
  • 2
  • 10