Menu
I would like to know if it is secure to save the username, password, server etc. in the php.ini file so when I connect to the MySQL server I don't have to always put the parameters?
Also, can this information (saved in the php.ini) be viewed or retrieve by any kind of methods (like phpinfo() or something like that)?
261
My recommendation: Don't store passwords in source code. Instead, store them in a configuration file (outside of the web root), and make sure the configuration file is not publicly accessible.
MySQL stores credentials in the user table in the mysql system database. Operations that assign or modify passwords are permitted only to users with the CREATE USER privilege, or, alternatively, privileges for the mysql database ( INSERT privilege to create new accounts, UPDATE privilege to modify existing accounts).
There's no way to require an additional password for a user once he logged in. Control access via the normal MySQL login. The user name used for that can be configured to have only access to the objects you want. The used user name decides what is allowed and what is not.
As long as you make sure the ini file is outside the DOCUMENT_ROOT and not world-readable, it's no less secure than any other method.
91
It isn't secure, because you can read ini files with php method: parse_ini_file
43
You don't have to put that info in the parameters every time. You can define the connection in a separate file (dbconnection.php) and include that in the files that need a database connection.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
