Secure storage of database connection credentials

Question

Here's how I connect to my database:

• create a "access.php" file that has the username and password of the database inside it.
• create a "main.php" file in which I include access.php and then create MySQL connection and the rest.

How secure is this way of coding? I'm just a bit scared that if someone could somehow donwload the access.php and get to know my user and pass.

Any suggestions?

Answer 1

Since your php file is under a web server, it cannot be downloaded as pure file, but will be served always compiled, so the source code cannot be visible to users.

To view your username and password stored in the file, a user should have access to the server's file system. So you can feel comfortable.

Answer 2

I have a .php file called "Connect" which is the database connection file.
Then I have a file I call "config.php" which contain the username, pass etc.

Then once the database connection has been initiated or whatever it is called (sorry I am not English), then you would "unset" the variables which contain the login info, eg:
unset($config['mysql_pass']);

However you shouldn't be scared of people being able to download your access.php file, as it is executed server-side, and the content are not visible to any front-end users.

You could also put your access.php file in a folder just before your public_html folder, this way, it cannot be accessed for outside the server.

Hope it helps :)

Answer 3

Possible duplicate question. Check out this older post: How to secure database passwords in PHP?

One additional "trick" is to use somewhat ambiguous names for config files.... don't use something like db_config.php.

Answer 4

I don't think people can't just download the access.php file. When people type the location of the file in browser, php interpreter executes the file, does not just send the file to the user. However if you install some other malicious script it may read the file & do harmful things, like downloading the file