db connection advice

[datanut]

I've been trying to find a good, up-to-date source on how to secure the authentication credentials for my db connection. I've done some PHP coding and would like to learn more. There's plenty information available, but I often find books inevitably have typos in the code. Also most of the online tutorials are either at least several years old or deal more with user login security.

 

User authentication is one thing, but what are the best ways to secure the connection to the database itself? Obviously your basic newbie method of unencrypted host, username, password, and database stored in a connectvar file is just open invitation--or maybe not since it doesn't present a challenge to a hacker. Some say to encrypt the credentials with something like MD5 and store them in .htaccess. Other sources say not to use MD5. Any advice on where to find some good resources on this?

 

Cheers!

[Muddy_Funster]

depends on your scenario, is your webserver also your db server or do you create a remote connection?

[datanut]

Right now, I'm hosted at godaddy with the economy linux setup (rather liquidweb but on the cheap right now), i.e. sharing server space with who knows what. With that said, looking at one of the warnings in phpMyAdmin about enabling statistics, the web server and MySQL server are separate.

[scootstah]

Storing the credentials in a PHP file is usually perfectly fine.

 

An attacker would have to gain entry to your filesystem to retrieve the database credentials. The only thing they can do with the database credentials is access your database, right? So even if you encrypt them, if an attacker has access to the filesystem he can just upload his own script and tap into your existing connection anyway; thereby having all the access to the database that he wants.

 

EDIT: So put simply, if an attacker gains access to your filesystem you are screwed either way.