mysql connect - should username/password be hardcoded?

Question

I'm an iPhone developer, and I've just started out with PHP & mysql (making websites for others, and web services for my apps).

Whenever I hardcoded my username and password into a PHP file to connect to the database I felt a bit odd. Example:

$con = mysql_connect('localhost:8888','root','password');

I find this slightly awkward if I ever have to show code to anybody.

• Is this secure or good practice?
• Is there another way I should be connecting to the database?

I would be very grateful for any advice related to this issue.

Answer 1

For scripts that are going to be redistributed it would be better to group these together and either have them as constants or variables.

config.php

<?PHP
define('DBHOST', 'localhost');
define('DBPORT', '8080');
define('DBNAME', 'my_db_name');
define('DBUSER', 'root');
define('DBPASS', 'password');

db.php

<PHP
include('config.php');
$con = mysql_connect(DBHOST.':'. DBPORT,DBUSER,DBPASS);
mysql_select_db(DBNAME, $con);

Doing this will make it easier for someone to make changes in the future instead of having to trawl through code to find where any connections are made etc.

For slightly better security the config.php script could be placed outside of the doc root so that it cannot be called directly.

Answer 2

I never hardcode the login information into the PHP code. I always put it in a separate file that gets included into the actual PHP code file. That way you never need to show the login data to anyone. And makes it slightly harder to get at the file if someone is trying to spoof the web server.