secure database configuration values

[rohithreddyk]

hi.. I wan to know what is the best way to secure database username/password values.... till now what i am doing is have a config.php file which contains the req info and include it in all the php files where database connection is needed..

config.php

$db_server = 'Localhost';
$db_name = '#####'; 
$db_username = '#######';
$db_password = '#######';
$link = mysql_connect($db_server,$db_username,$db_password); //	Link to use in session connections to form dB based sessions
if(!$link){
die("Could not connect to database!");
}
$db = mysql_select_db($db_name,$link);
if(! $db){
die("Could not select database!");
}

 

 

and I am including this in all .php files where needed..

 

 

i want to know what are the security probs with using this and want to know the best way to do this

 

Thanks in advance

[anupamsaha]

Do you want to hide DB access info from others? If yes, simply put the config file outside the web root directory and include the file from there in all the required script. Also, you can set the path of the config file include path directive in php.ini file, if possible or in .htaccess file.

 

Hope this will help.

[rohithreddyk]

prob is i dont have control over php.ini file.. and i dont have access to entire web root.. one folder was created by the admin and that folder is shared with me...i have all my .php files in that folder

[PFMaBiSmAd]

Php code in a .php file IS secure, unless the php installation on your server breaks so that php code is no longer parsed at the same time someone is attempting to access your config.php file.

 

You should put some code in the file to prevent the connection code from being executed if someone browses directly to the file -

 

// detect direct access to included/required file
if(strtolower(basename($_SERVER["SCRIPT_NAME"])) == strtolower(basename(__FILE__))){
   exit('No Direct Access');
}

 

[rohithreddyk]

thanks a lot...that helps