Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why put MySQL credentials outside of www directory? [duplicate]

Tags:

security

php

mysql

credentials

Possible Duplicate:
Putting core classes above the web root - good or bad idea?

I keep reading that it's a best practice to put MySQL connection credentials (whether it's a class, defines, etc..) outside of the web root (above the www folder).

Why is this? If the credentials are in a .php file then it doesn't matter if the file is accessible through the browser, right?

like image 710
Nate Avatar asked Dec 20 '12 16:12

Nate

3 Answers

It's a preventative measure. If someone accidently disables php evaluation in your apache server or changes an apache setting in an .htaccess file, the file could be served up like any plain text file. Or, if you accidently forget a php start tag, it would be redenerd like plain text. Not that you'd make such a dumb mistake, but maybe a future newbie working on your code might make a mistake.

Why leave a possible vector open when you can prevent it from ever being possible? Just take the advice of others who have shot their own foot (or like me, shot both feet and a hand) and move the credentials outside your docroot.

like image 166
Ray Avatar answered Oct 29 '22 13:10

Ray

Because, to a certain extent, nothing under the web root is secure. It's available on the Internet, which makes it inherently insecure.

There always exists the possibility that a misconfigured server may one day output the contents of any PHP file, rather than send it to PHP to be interpreted. There are also too many people out there trying to get into your database any way they can... some of them just for fun.

In any given situation, you should always use the most secure methods available. It's a good habit to get into.

Also, you should never use the root password in your web application. Create a special user with minimal privileges.

For PHP I always use an .ini file to store sensitive configurations...

<?php
    $config = parse_ini_file('../config.ini');
?>
like image 26
Ian Atkin Avatar answered Oct 29 '22 13:10

Ian Atkin

Because what's inside www directory (ie the root of your website) can be potentially accessible from the internet.

That means that if you put your credentials in here, maybe someone will be able to access them, and to connect directly to your DB.

Putting your credentials outside of this directory guarantees that it won't be accessible this way.

like image 2
xlecoustillier Avatar answered Oct 29 '22 14:10

xlecoustillier
Sign in to Comment

Related questions

Use PHP to count images in specific subdirectories
Conditional JOIN Statement in MySQL
How do I stop PHP from sending data to client while still running PHP code in server?
Magento Catalog Price Discount rules not apply in Product detail page
NicEdit data not in POST
if (!empty($_POST)) not working
Different Results for json_encode() PHP
check if javascript is available and redirect if javascript is not available [duplicate]
Replace multiple words with Str_Replace
PHP converting to boolean using '!!'
how to check if a date is three days before today
array_search() not finding 0th element [duplicate]
Using recursion to build navigation
How to display an BLOB image stored in MySql database?
Access Atlassian Jira REST API to run super simple report on a filter
How can I pass a parameter with submit button on form
How to hide a template in Wordpress? [closed]
php constant can be referenced but defined() returns false
Is it a good idea to update hash salt every login?
Future of the PHP MySQL functions [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!