How can I secure my database credentials when using shared hosting and no access to outside the webroot?
Question
I have all of my database credentials within an include file that I wanted to place outside of my webroot file.
However, my shared hosting plan does not allow me to place files outside of the webroot. Would I have to look at encrypting my file in some way to make sure my credentials are secure?
I had read a method to produce a kind of fake 404 page, but that doesnt sound very secure to me at all.
I've also taken the step of creating a read-only user account so that if my account is compromised then at least nothing can be overwritten or dropped, but I obviously want to be as secure as I can given the limitations.
2 answers
solution1
2 ACCPTED 2012-10-07 16:21:40
You can't
Best what is possible is create php file which will be interpreted by hosting service.
<?php
$DB_USER = 'your_user';
$DB_PASS = 'your_pass';
$DB_INSTANCe= 'your_instance';
When someone will access your file from web browser he won't see anything. When you need your file just include it.
You could also add some .htaccess (probably) so no one using web browser will be able to access your file.
Someone who has read access to the same physical host as you will be sadly able to access this file, and there is no way to prevent that.
solution2
1 2012-10-07 16:03:20
If the server is running apache and you are allowed to override the directives then this could be achieved using by creating a .htaccess file in the webroot with the following lines, be sure to replace <FILENAME> (including the <>) with the name of the file you would like to deny access to.
#Deny access to the .htaccess file
<Files ~ "^\.htaccess">
Order allow,deny
Deny from all
</Files>
#Deny the database file
<Files ~ "^\<FILENAME>$">
Order allow,deny
Deny from all
</Files>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.