Securely storing database connection details. Why use .inc at all?

Question

I am always reading that you should always store your database credentials outside of your document root because normally you would have them set to db.inc or something similar.

I can understand this and naturally it makes perfect sense.

What I don't understand is why you are making the file into one that you either need to set apache to hide or you need to put it into a secure location in the first place.

What is the issue with making it, say db.php - Then apache knows to execute the script first and return the output (which would presumably be blank in most cases).

Maybe I am being dumb and missing an inherent security flaw but is there any issues with just storing your details in a .php file? I mean Wordpress and other major open source PHP applications manage to get away with it, but is this because they can't make their script talk to folders outside of www or because it is just as secure as any other method?

Answer 1

Maybe I am being dumb and missing an inherent security flaw but is there any issues with just storing your details in a .php file?

A tiny slip up in the configuration of Apache, and the file starts being served raw instead of being processed by the PHP engine.

I mean Wordpress and other major open source PHP applications manage to get away with it, but is this because they can't make their script talk to folders outside of www or because it is just as secure as any other method?

They accept increased risk for increased convenience.

Answer 2

Storing files containing (database) credentials outside the document root is always a good idea. Say, you upgrade Apache, but forget updating the configuration with PHP. Any file in the document root can possibly be downloaded without getting parsed.

Wordpress, Joomla, phpBB and others are made to be portable. That is, reside in one folder.