Connect to DB securely using config file variables

[melting_dog]

Hi all,

 

I am using a ModX CMS and want to have my own php file (my.php) in the root directory that connects to the database independently of the CMS.

 

However, I am unsure of how to connect to the database securely ie: so that no-one sees my username and password etc.

 

The CMS has its own config file with all the DB connection info already in variables that is locked away in a folder with permissions set so that browsers cannot access it but I am unsure how to pass those varaibles to my.php (this occurs in the index.php file in the root but I have been unable to replicate it).

 

Can anyone suggest a way for me to do this?

 

Thanks!

[PFMaBiSmAd]

Php code inside of a .php file, using <?php ?> tags, is secure from prying eyes. Any php code in a .php file is parsed and executed on the server when the file gets requested. You only get any output that code sends. As long as you don't echo your username or password values, no one can see them by browsing to the file.

 

To prevent http requests to the file, to save some server resources should someone start requesting it or to protect in the rare case of php not working on the server, you can place your file outside the document root folder (closer to the disk root), place it into an existing or new folder that has had http requests disabled (there's nothing stopping you from putting your file into the same folder as the CMS's config file), or use a .htaccess file to stop http requests for that specific file no matter where it is placed.

 

Slightly off topic, but I have seen php scripts that store database username and password information in a specifically named .xml configuration file, with not one word about securing that file from http requests. You CAN browse to a .xml file and see the contents of it. You would also not want to use file extensions like .inc, .txt (anything other than .php) to put security related php code into.