Results 1 to 3 of 3

Thread: Secure MySQL login information for use with PHP site access

  1. #1
    smokebox Guest

    Question Secure MySQL login information for use with PHP site access

    There's a wealth of information out there on how to properly secure and validate a user's name and password which is stored in a MySQL table to authorize user access to a web page.

    My question is what is the (or a) recommended way to secure the database login info needed to establish the MySQL connection?

    Is simply storing the database login info in a folder listed under the Helm-> Secure Folder Directories sufficient?

    I understand the topic of Security is a dynamic one, but I'm just looking for some guidance on the protection of the database login info.

  2. #2

    Default

    The primary method we recommend for securing database connection/configuration files for best security would be to store that file in a directory outside of the wwwroot folder (public_html for Linux Users). You can then include that file in your PHP script.
    For example, if I stored my database configuration file, db_connect.php in my home directory at the same level as wwwroot, I can by access it PHP by:
    PHP Code:
     include("../db_connect.php"); 
    Since this file is out side the wwwroot file, cannot be accessed through the browser, only by a server side PHP include.

    For Linux users,
    Another would be to password protect the directory the database configuration file will reside in.
    This will let you create a password protected folder, can if attempted to be accessed from the browser, it will require a username and password.

    To do this on cPanel: Login to cPanel, and click on "Password Protect Directories" to create a password protected directory.
    To do this on Plesk: Login to Plesk, Select your domain and go to the "Password Protected directories" to create a password protected directory.

    There are some additional things you can do to harden the security of database configuration files which include:
    • NEVER use .inc extensions for configuration files that include database passwords. Sometimes these can be displayed in plain text in a browser. Always use .php extensions for any files that include database configuration information to be used by PHP.
    • Don't use the combination of username/password for anything else. If for whatever reason your database credentials get compromised, they will not be good for anything else.
    • On a live site, display PHP error reporting for your site. In case of an error, you don't want the full path of your configuration files revealed. To do this, include this code in your PHP web application:
      PHP Code:
      // Turn off all error reporting
      error_reporting(0); 
      More information on PHP error reporting can be found here: http://php.net/manual/en/function.error-reporting.php
    • To prevent directory browsing on any directories used for storing configuration files you can simply create a blank index.html file.
    • (For Linux Users)
      If you don't want to place files outside the public_html directory, you add the following to a .htaccess file to prevent the file from being accessed:

      Code:
      <files db_config.php>
      order allow,deny
      deny from all
      </files>

  3. #3
    smokebox Guest

    Default

    Excellent response, Max.

    Thank you.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •