Database password

chamal

Hi,

I use mysql as the database.
I usually have to hardcode the database password in plain text with mysql_connect command in my php file. Is there a much secure way for php to connect with mysql.

Thanking You,
Chamal.

laserlight

Place the database connection data outside of the public html directory.

bradgrafelman

Store all variables with sensitive data in a .php script and use Zend to encode it? :p

Roger_Ramjet

Do both. And also create a read only mysql user for all connections that do not need to update the db, which is probably most pages and queries. Then, even if they do get that user name and password, they can't do any damage. Have a seperate user and connection script for those pages/scripts that will update the db.

For both the read-only and the read-write user, also restrict the tables and columns that they can access. Deny all create/alter/drop table and db privileges etc, so that even if someone did hack the username and password they could not do too much damage.

Oh, and have a really good read about .htaccess and how to protect your db connect scripts with the usernames and passwords from being read by anyone who did gain access to the server. That is what laserlight is pointing to when he sez to put the script outside the public file system.