Config.php Storing DB Username and password, Hacked??

[nightkarnation]

Hey guys I have a simple question,

 

I have a Config.php file that connects to mysql database on my server...

 

Something like this (modified data, of course):

 

<?php
// database information
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '******';
$dbname = 'databasename';
?>

Can a hacker access those variables? How can I protect this?
Ideas, suggestions?

Thanks in advance!

[Psycho]

You should not put anything with sensitive data within publc folders (i.e. available for users to access directly over the internet).

 

Assuming everything is working as it should, anyone navigating to that file directly should get an empty page, but never assume there will never be problems.

 

Instead put your config file one directory above the public directory. Then your PHP pages can access the config file via the local file path, but a user could never try to access it by entering the address into their browser.

[gizmola]

It's in a php script so it's already protected in that it wil be parsed by the php interpreter.  Also what mjdamato suggests is a good idea if you can manage it, however, again, being a php file, it will already be parsed, so executing it by itself isn't an issue.  It's a good idea to make sure that the file is not writeable.  to mjdamto's point, there is always a concern that running a single script might leak information or leave things in an inconsistent state.  Some applications will use a global variable or constant to further protect scripts so that even though they are in webspace, they can't be executed out of context.  For example, in their main/bootstrap script they might set a constant :

 

define('MYAPP', true);

 

Then in their include files they'll add at the very top:

 

if (!defined('MYAPP')) die ('Not authorized.');                               

 

For the most part, simple initialisation scripts are not a major concern.  Most frameworks utilize an initialization class and registry class to read in needed configuration variables and then to make them available in an application registry.  Take a look at Zend_Config and Zend_Registry for examples of this. 

 

If you can do what mjdamato suggest then I would certainly do that, although on some host accounts you're somewhat limited as to where you can put files that can be seen by apache.