When a PHP application makes a database connection it of course generally needs to pass a login and password. If I'm using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere. What is the best way to secure that password? It seems like just writing it in the PHP code isn't a good idea.
AviD
12.9k6 gold badges61 silver badges91 bronze badges
asked Sep 18, 2008 at 23:27
3
Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.
The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.
Farray
8,0543 gold badges32 silver badges37 bronze badges
answered Sep 18, 2008 at 23:32
user11318user11318
9,1732 gold badges25 silver badges25 bronze badges
18
If you're hosting on someone else's server and don't have access outside your webroot, you can always put your password and/or database connection in a file and then lock the file using a .htaccess:
order allow,deny
deny from all
answered Aug 3, 2009 at 18:28
kellenkellen
6,7953 gold badges21 silver badges10 bronze badges
9
The most secure way is to not have the information specified in your PHP code at all.
If you're using Apache that means to set the connection details in your httpd.conf or virtual hosts file file. If you do that you can call mysql_connect[] with no parameters, which means PHP will never ever output your information.
This is how you specify these values in those files:
php_value mysql.default.user myusername
php_value mysql.default.password mypassword
php_value mysql.default.host server
Then you open your mysql connection like this: