Secure way to pass a db pswd to a script

julio2001

I'm sure this is an old topic, but i can't find an answer:
all my php scripts accessing a database have an include of a file containing variables with database name, user and password.
obviously this is not a secure way to protect my db because the include file is accessible via web browser (knowing is name)
which techniques do you use to make password available to scripts on a secure way?

thanks in advance

Anon

i put mine in a folder outside the root folder and that seems quite secure

philsown

I agree with placing the DB file outside of your web root. If you can't do that, give the DB file a .php extension (or .php3 or whatever) so that it is processed by PHP. If the file is an .inc file it will just be served raw.

=== db.php ===
<?
$db = mysql_connect ( "database", "user", "pass" ) or die ( mysql_error () );
$select = mysql_select_db ( "my_db", $db ) or die ( mysql_error () );
?>

If this file is access directly, the user will see nothing. You could also test for the file being executed:

<?
if ( $PHP_SELF != "/db.php" ) {

we're not in /db.php so we must be included

... do the db connection like above

} else {

echo "This is an include file so go away!";
exit;

}
?>

julio2001

Well, this seems to be a good way.
My question is:
if tthere is a problem and the php parser is down, what happens?
all php files are sent as text, isn't it?