database passwords

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

database passwords

Post by s.dot »

When designing an application that requires storage of the database password to connect to the database

e.g.

Code: Select all

mysql_connect($cfg->host, $cfg->user, $cfg->password);
Where do you store that? Obviously you can't hash it. And storing it in the database itself would be bad.

EDIT| I guess it doesn't make much sense to store such details in a database. Lol, I don't know what I was thinking. Where would such details go?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: database passwords

Post by John Cartwright »

Typically in a flatfile that is secure from the outside world, albeit outside the webroot or protected through .htaccess (preferably the former)
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: database passwords

Post by pickle »

Jcart wrote:outside the webroot
Is that really necessary? As long as the script doesn't output the password to the screen it should be pretty protected from the world.

If I've got lots of different apps & databases on one box, I store the credentials in an include file.

If I've got a box dedicated to one system, I store the credentials right in the DB abstraction constructor function. That eliminates it from any variable space so I can print_r() to my hearts content without worrying about the credentials being dumped to the screen.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
allspiritseve
DevNet Resident
Posts: 1174
Joined: Thu Mar 06, 2008 8:23 am
Location: Ann Arbor, MI (USA)

Re: database passwords

Post by allspiritseve »

pickle wrote:Is that really necessary?
It is possible for php scripts to be displayed and not parsed on screen, so people can view the code. I don't know how, but I know that it can happen. So keeping it below the webroot protects against that being a security risk.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: database passwords

Post by Mordred »

Include file with config data, and I unset it after connecting.
baileylo
Forum Newbie
Posts: 13
Joined: Sun Sep 30, 2007 12:48 am

Re: database passwords

Post by baileylo »

allspiritseve wrote:
pickle wrote:Is that really necessary?
It is possible for php scripts to be displayed and not parsed on screen, so people can view the code. I don't know how, but I know that it can happen. So keeping it below the webroot protects against that being a security risk.
The php parser on the site could go down, that would then just display all php code to the screen including your password. I prefer to put my db connect information one level above webroot as well.
Post Reply