Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to secure database passwords in PHP?

Tags:

security

database

php

When a PHP application makes a database connection it of course generally needs to pass a login and password. If I'm using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere. What is the best way to secure that password? It seems like just writing it in the PHP code isn't a good idea.

like image 715
user18359 Avatar asked Sep 18 '08 23:09

user18359

People also ask

Is it safe to store password in php file?

The best way is to store password above your root directory. If you decide to have password in php file then no body would able to view because php files are excuted in the server. But if the server does not support php then those files will be delivered as text files and any one can see the password.

Is it safe to store passwords in database?

Storing plain text passwords in the database is a sin. Encryption functions provide one-one mapping between input and output and they are always reversible. If the hacker gets the key, he will be able to decrypt the passwords. The better way would be to use a one way cryptographic hash function.

How do you secure a database connection?

Identify the user IDs that you want to associate with the database connection, or create a user ID with a password, following the appropriate instructions for your operating system and database. Define the user IDs and passwords that the integration node can use to access a particular data source.

2 Answers

Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.

The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.

like image 60
user11318 Avatar answered Sep 23 '22 06:09

user11318

If you're hosting on someone else's server and don't have access outside your webroot, you can always put your password and/or database connection in a file and then lock the file using a .htaccess:

<files mypasswdfile> order allow,deny deny from all </files>
like image 32
kellen Avatar answered Sep 26 '22 06:09

kellen
Sign in to Comment

Related questions

PDOException SQLSTATE[HY000] [2002] No such file or directory
Can I try/catch a warning?
Laravel 5 Failed opening required bootstrap/../vendor/autoload.php
Why would one omit the close tag?
Pass a PHP string to a JavaScript variable (and escape newlines) [duplicate]
In PHP, how do you change the key of an array element?
Add a new column to existing table in a migration
How to remove non-alphanumeric characters?
Difference between array_map, array_walk and array_filter
How should I choose an authentication library for CodeIgniter? [closed]
What is the difference between bindParam and bindValue?
Correct file permissions for WordPress [closed]
Send email using the GMail SMTP server from a PHP page
How do you debug PHP scripts? [closed]
urlencode vs rawurlencode?
Creating default object from empty value in PHP?
Call to undefined function curl_init().? [duplicate]
PHPUnit assert that an exception was thrown?
How to push both value and key into PHP array
How to run single test method with phpunit?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!