Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Where to safely store database credentials within a PHP website [closed]

Tags:

security

php

mysql

I am developing a website that will eventually be connecting to a mySQL database. My question is how do I safely and securely store those credentials to access that database within my PHP site without risk of them accidentally being compromised by, for example, the server returning PHP as normal text? Any help is appreciated, thanks! :)

like image 268
scarecrow850 Avatar asked Sep 11 '15 00:09

scarecrow850

People also ask

How do you secure your database credentials?

While storing password place holders in config files is a good start; creating a data source and connection pool programmatically will ensure that the database credentials are not stored on the build server (after parameter replacement in code) or on on the drive on the production server and are thus impervious to theft.

Is it safe to store passwords in a PHP file?

There is an additional risk with storing passwords in a .php file within your webroot, which is a bit obscure but can be easily avoided by placing the file outside of your web root.

What file stores the credentials to connect to the database?

My connection.php file stores the credentials to connect to the database: When a page need to connect the database I just use <?php include ("connection.php"); ?>.

What is the best way to store credentials in a framework?

The idea is to use a properties file or framework-specific configuration file to store credentials and then use it in code at run time. While it is extremely easy to get going; the credentials will make their way into the version control system and thus extremely vulnerable to theft and misuse. Zero implementation time.

1 Answers

Common practices for this problem include putting the database credentials in a configuration file that is not PHP, such as a .ini file, and then reading that with PHP. To add extra security you should also put the configuration file outside of the web root, so that you can be sure no one can access the file by navigating directly to it.

For example, the Laravel framework (among others) define the web root in the /public directory, while outside that directory is a .env file containing database credentials among other settings.

Have a look here for more info: How to secure database passwords in PHP?

More importantly though, you should never have to worry about your PHP being served as plain text. Take the proper development precautions to ensure this never happens. Some starting points are:

  • Making sure you have PHP installed!
  • Make sure you open and close your tags properly
  • Make sure your file extension is .php and not .html (unless you use this work around)
  • Also make sure in production code that you aren't displaying errors on the page (display_errors ini)
like image 111
samrap Avatar answered Oct 25 '22 19:10

samrap
Sign in to Comment

Related questions

How to apply bootstrap style in dompdf
How do you set up the database Queue driver for Laravel 5?
Using artisan serve after changing the public folder name
mysql_connect(): No such file or directory in /opt/lampp/htdocs/
Making use of the base path in Laravel 5 (Lumen)
Laravel 5 ignore Authentication specific route
MySQL SUM time(3) with milliseconds
Empty space at beginning of rsyslog log file
Select multiple not working
Where should I write my code so that Composer can autoload my PHP classes?
Images Fail to Load, net::ERR_CONTENT_LENGTH_MISMATCH
Multi-dimensional array, remove array where key and value match another array
Only can load one Zingchart
Php cannot read secure cookies
Debugging Codeigniter with XDebug using PHPStorm
gd-png cannot allocate image data
How much cost/rounds does Laravel use to hash with?
How to add Custom button and its functionality in Admin Silverstripe?
How to get the most favourited items, from another table?
Laravel with SQL server 2008 throw "Conversion of a varchar data type to a datetime data type resulted in an out-of-range value"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!