MySQL login credentials, where to store them, how to prevent discovery

[enveetee]

OK, so my application is now in the Beta phase and I am rolling it out to some tame customers. I am using justhost.com for hosting using a standard Business Pro package

 

Each one of my PHP scripts has an required_once to a PHP include which contains the MySQL login name and password details. Obviously if anyone gains access to this the game is over.

 

Where is the best place to keep this file (I have it in ../includes)

 

How do I stop anyone from seeing the contents

 

Thanks

[mac_gyver]

if you are asking about visitors to a site being able to see the raw contents of a .php file, they cannot, since browsing to the file will only show any output from that file. it would require that you have code that's echoing the variables/defined constants holding the database credentials or that your site provided a way for someone to display/download the raw contents of a file on your site, such as by not validating the path and filename being supplied (all external data cannot be trusted and must be validated before use) to a download script or a page controller/template engine that reads the contents of a file and then outputs the content on a page...

 

in the rare event that php on a server ever gets broken and outputs the raw content of .php files or you are using php's short open tags and they get turned off (full opening php tags cannot get turned off), the best place to put ALL included/required files is in a folder that's outside of/below/closer to the disk root folder from your htdocs folder so that they cannot possibly be browsed to.

 

or that your site allows a .php code file to be uploaded onto the server and then browsed to (uploaded files should be placed into a folder that cannot be browsed to) or allows php code to be saved as content that's eval()'ed (using eval() should be avoided unless you know exactly what content is being supplied to it) on the server or allows an external file to be included (the settings that allow this should be turned off) and ran on your server, which would allow someone to run their own php code on your server, which would allow them to take over your site and have access to all of the files anyways.

[enveetee]

Mac_gyver - thanks, very enlightening.

 

The solution seems to be to keep sensitive files (MySQL credentials and raw uploaded files) in a folder which the server cannot access so now the question becomes:

 

How do I access files outside of the server web root?

 

public_html/

/phpfiles

/includes

/docs

/script

/other

/sensitivefiles <<<<< (my php scripts need access to the contents of this folder but a browser cannot gain access)

 

Cheers

[Ch0cu3r]

 

How do I access files outside of the server web root?

By using a relative or absolute file path when including the file eg

include '../sensitivefiles/db.php'; // relative path

include '/home/enveete/yoursite.com/sensitivefiles/db.php'; // absolute path

An alternative way would be to add that directory to the include path

 

PHP use file paths to access files not urls. So PHP is not restricted from accessing files outside of the public html folder. PHP can access any file on the sever so long as file permissions allow it to.