Where to safely store database credentials within a PHP website [closed]

Question

I am developing a website that will eventually be connecting to a mySQL database. My question is how do I safely and securely store those credentials to access that database within my PHP site without risk of them accidentally being compromised by, for example, the server returning PHP as normal text? Any help is appreciated, thanks! :)

Answer 1

Common practices for this problem include putting the database credentials in a configuration file that is not PHP, such as a .ini file, and then reading that with PHP. To add extra security you should also put the configuration file outside of the web root, so that you can be sure no one can access the file by navigating directly to it.

For example, the Laravel framework (among others) define the web root in the /public directory, while outside that directory is a .env file containing database credentials among other settings.

Have a look here for more info: How to secure database passwords in PHP?

More importantly though, you should never have to worry about your PHP being served as plain text. Take the proper development precautions to ensure this never happens. Some starting points are:

• Making sure you have PHP installed!
• Make sure you open and close your tags properly
• Make sure your file extension is .php and not .html (unless you use this work around)
• Also make sure in production code that you aren't displaying errors on the page (display_errors ini)