Newbie - where to store MYSQL connection name/password

[enveetee]

Hi there

 

I am just finalising my first ever PHP/MYSQL project and I am worried about where to safely keep my connection credentials for the SQL DB.

 

Currently, I am storing them in ../php/config.php and this works fine, but I am worried as to the security of this

 

Can anyone advise please

 

Thanks

[Frank_b]

I prefer to store it outside the documentroot of your website.

 

So in case your documentroot is /var/www/html then i should maybe store it in /var/www/config/config.php.

 

Another possibility is to store it in a subdirectory of the documentroot and protect it by an .htaccess file with the content Deny from All 

 

If you are using apache 2.4 then it should be Require all denied

[ginerjm]

Assuming that your current location is 'outside' of the web-accessible tree, then that will be safe from attacks using http. Won't help if your site password is compromised and someone uses ftp to browse your site.

 

Course - there are better experts at this facet - let's see what they say.

[NotionCommotion]

Well, I can tell you not to store it at /var/www/html/mySecretPasswords.ini (assuming a Redhat install).  I wouldn't even do so if protected by .htaccess or something similar in httpd.conf as it is just a desultory in waiting.

 

I've toyed with the idea of encrypting the file, but since PHP will need to decrypt it, I guess this doesn't make sense.

[Frank_b]

Exactly, it does not make any sense. Do not think too difficult!

 

Even if you store the mysql username and password in a normal accessible .php file then normal http users will not be able to read the code in the .php file. So the options mentioned above is allready a little extra security. And as ginerjm mentioned above it is much more important to use strong password protection for other protocols like SSH and FTP because that are main entrances! 

 

(Think about locking all the windows from the house but forget to close your frontdoor )