HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Is it secure to have database login in a PHP file? Other options?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
securefilephploginoptionsdatabaseotherhave

Problem

I'm a DB and SQL beginner. I'm putting together a basic PHP app that has a few SQL queries. In all my searching and learning, every example accessed the database by first logging in. Makes sense, but in PHP, you have to put these credentials right in the PHP file, like this:

$mysqli = new mysqli("localhost","user","password","db");


This seems risky. For example, I'm aware of some server faults that will show your php file's text instead of executing.

Is this the kind of thing that beginners are shown for ease of access? If yes, what's the better way? Or is this standard and there's really not much to worry about? Why is it not a security hole?

Solution

What I have done for PHP projects is to define the database credentials (or any other credentials, for example web services) in files outside the http document root.

In fact, most of your code can and should be put outside the http document root.

Then if your http server becomes misconfigured somehow and starts serving PHP code instead of executing the PHP code, then all they will see is:

<?php

include "myconfig.php";
include "myapp.php";

Code Snippets

<?php

include "myconfig.php";
include "myapp.php";

Context

StackExchange Database Administrators Q#322570, answer score: 6

Revisions (0)

No revisions yet.