I don't seem to be able to get a straight answer on this, so hopefully somebody can help.
If I include a mysqli_connect() statement in my PHP script and also include my MySQL username and password, will those details be vulnerable at any point? Obviously anything between PHP brackets is not served up on the client side (and therefore should not be viewable when viewing the source etc.) however is there any other way that those details could be compromised?
If, for some reason, PHP suddenly doesn't work (due to upgrade, corrupt config file, e.g.), the files might get served as HTML and the login information will be made freely available to anybody visting the site. I have seen this happen before.
The best way to get around this, is to move everything out of your webroot, except an index.php file that just includes one file outside of the directory. This also means that your source code won't get compromised, assuming PHP won't work.
E.g. /var/www/public_html only holds one file: index.php:
<?php require("../entrypoint.php");
And everything else is then located in /var/www. If PHP then fails, only index.php will be compromised.
This will make it perfectly safe, unless your server itself gets compromised or you allow users to execute PHP code, but that is a whole other question. Most modular CMS's also unset all connection variables after the connection has been initialized to avoid one of the modules to be able to accidentally expose anything.
