a better approach than storing mysql password in plain text in config file?

by

Personally, I store sensitive information such as database connection details in a config.ini file outside of my web folder’s root. Then in my index.php I can do:

$config = parse_ini_file('../config.ini');

This means variables aren’t visible if your server accidentally starts outputting PHP scripts as plain text (which has happened before, infamously to Facebook); and only PHP scripts have access to the variables.

It’s also not reliant on .htaccess in which there’s no contingency if your .htaccess file is moved or destroyed.

Caveat, added 14 February 2017: I’ll now store configuration parameters like this as environment variables. I’ve not used the .ini file approach for some time now.

More Related Contents:

  1. How to best store user information and user login and password
  2. How Secure Is This Login System? (Using Cookies In PHP)
  3. How can I prevent SQL injection in PHP?
  4. SQL injection that gets around mysql_real_escape_string()
  5. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  6. How can I store my users’ passwords safely?
  7. Reference: What is a perfect code sample using the MySQL extension? [closed]
  8. How to create a secure mysql prepared statement in php?
  9. Two-way encryption: I need to store passwords that can be retrieved
  10. How do I use password hashing with PDO to make my code more secure? [closed]
  11. Using PHP 5.5’s password_hash and password_verify function
  12. Generating a random password in php
  13. What does it mean to escape a string?
  14. SQL injections in ADOdb and general website security
  15. How to retract a salted password from the Database and auth user?
  16. PHP MySQLI Prevent SQL Injection [duplicate]
  17. Why is using a mysql prepared statement more secure than using the common escape functions?
  18. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  19. how safe are PDO prepared statements
  20. encrypt and decrypt md5
  21. Why is password_verify returning false?
  22. “slash before every quote” problem [duplicate]
  23. How to create a laravel hashed password
  24. Hiding true database object ID in url’s
  25. Many hash iterations: append salt every time?
  26. Is it ever ok to store password in plain text in a php variable or php constant?
  27. How to log in to phpMyAdmin with WAMP, what is the username and password?
  28. Best way to connect to MySQL with PHP securely [duplicate]
  29. Strange problem with the length of the field gotten from database [duplicate]
  30. Unique key generation

Leave a Comment