Another security question

pianoparadise

Is it a good idea to store the username and password used to connect to a database in another file instead of the same .php file that connects to that database? What are the risks of not doing so?

laserlight

Is it a good idea to store the username and password used to connect to a database in another file instead of the same .php file that connects to that database?

Yes, in a file above/outside of the document root directory (your web directory, basically).

What are the risks of not doing so?

If for some reason the PHP interpreter fails to parse your PHP script and the PHP source code is displayed to the client, your database account credentials would be displayed to the user.

pianoparadise

I see now. But wouldn't the php source code also display the location of the include file?

laserlight

But wouldn't the php source code also display the location of the include file?

Now, suppose that the user decided to check what that include file contained...

If that file was not in the document root, the user would not be able to access it even with the failure of the PHP interpreter.

pianoparadise

I think I understand what you are saying now. I just don't understand where I should store this include file, if not my root directory (my web directory on my web host).

laserlight

I just don't understand where I should store this include file, if not my root directory (my web directory on my web host).

Some shared hosts do not allow you the place files outside of your document root (sometimes called "non-web space"). Those that do may have a document_root or public_html directory that is your document root, upon which you can just place this include file in the directory that contains your document root.

pianoparadise

So I would put the include file directly above the public_html directory? How would the link to it look in my php script, if the actual page it is referenced from is two folders down the line?

I know I'd use the require function, I just don't know what the info.inc should be replaced with.
require('info.inc');

laserlight

How would the link to it look in my php script, if the actual page it is referenced from is two folders down the line?

Something like:

require $_SERVER['DOCUMENT_ROOT'] . '/../database.php';

If you did not already know, the '..' means "parent directory".