Including passwords in scripts

nick1

Greetings,

Lets say I have a PHP script that connects to a MySQL database. This particular script creates tables, deletes tables, inserts rows, etc. In order for this operation to be successfull, a username and password needs to be supplied in the script - in plain text. gets really nervous

You probably see my question coming:
How do I protect the usernames and passwords I include in my scripts? Is some type of encryption function available? Is there a different place where these credentials can be placed and yet still be referenced in the scripts.

Thank you for your time,

Nick

NogDog

A typical technique is to define variables or constants in a separate include file, and put that include file in a directory outside of the web root directory (so that it is not accessible via HTTP requests from browsers or external scripts. Then simply include that file and use the variables in your script:

/home/username/includes/db.inc:

<?php
define('DB_HOST', 'localhost');
define('DB_USER', 'username');
define('DB_PWD', 'password');
define('DATABASE', 'database_name');
?>

/home/username/public_html/some_script.php:

<?php
require_once $_SERVER['DOCUMENT_ROOT'].'/../includes/db.inc';
mysql_connect(DB_HOST, DB_USER, DB_PWD) or die ('Unable to connect to DB');
mysql_select_db(DATABASE) or die ('Unable to select database');

This is not 100% fool-proof by any means, especially if you are on a shared server that is poorly configured, as other accounts on that host might be able to view your files, but it's better than nothing.

If you will be dealing with highly sensitive data (credit cards, SSN's, etc.) I'd recommend hiring a security expert (with good credentials and references) to protect your customers and to protect yourself from potentially irate customers and their lawyers.