I hate having the password for my database out in the open. Anyone who gets a look at my code has access to the password. What can I do to secure it so my PHP scripts can access it but it's harder to find?

I thought about storing it in a file, but if you've got read access to the file you've got read access to the password. Encryption is the next thing I thought of, but my script would have to do the decryption. Once you have that info, what's to keep you from using it?

How can I keep it safe and still use it?

Recommended Answers

All 4 Replies

I hate having the password for my database out in the open. Anyone who gets a look at my code has access to the password. What can I do to secure it so my PHP scripts can access it but it's harder to find?

I thought about storing it in a file, but if you've got read access to the file you've got read access to the password. Encryption is the next thing I thought of, but my script would have to do the decryption. Once you have that info, what's to keep you from using it?

How can I keep it safe and still use it?

If my scripts via codes are somewhat special as in exclusive to and for me only, I would MD5 my passwords(text boxes if any) and encrpt it with mad dog. But thats be.

They're for the whole thing. I thought about using a hash that's so long it'd be difficult for a human to copy, but that still doesn't prevent machine copying.

Try this. You can always use a file that is stored outside to the Web site tree on your server. The file can contain the entire command to open the database, including the database name and password. You then include that file in your Web script using the server path (not the Web site path). Files stored outsite of the Web site tree are not accessible via the Internet.

Heres an example of a call to a file above the Web site tree on a server:

require_once ('/home/mysiteaccountname/temp/DB01.php');


Here is what is in DB01.php:

mysql_select_db('myDatabse', mysql_connect('localhost','myUserName','myPassword')) or die(mysql_error() );

Files that are stored outside of the Web space cannot be read from the Internet, but they can be read from a script within the site's Web space. This means your PHP program can read it, but someone using your site should not be able to get to it. All the important info about your database is out of the reach of the bad guys.

If you want to add an additional level of security, them encrypt the password as well.

Can you please try the following or something like this?

// We do not store the username and pass in variables
$db = mysql_connect("host", "muyser", "mypass");

OR

$user = "myuser";
$pass = "mypass";
$db = mysql_connect("host", "muyser", "mypass");
unset($user, $pass);
// Do database selection here

In both the occasions, one has to put this file outside the web root.

Thanks.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.