PDA

Click to See Complete Forum and Search --> : Database password info

jamesm6162
06-12-2008, 06:02 AM
Hi all

I want to store default information for a website in a configuration file.
This will include the host, username and password for the MySQL database that I will be accessing with my php scripts throughout.
I don't want to hard code the above information into my php code as it makes the maintenance alot harder.

However, seeing as this is sensitive information that I don't want anyone to view, where(or how) should I store this file?

Any suggestions will be appreciated

Thanks
sridhar_423
06-12-2008, 06:38 AM
Did you check base64-decode (http://www.php.net/manual/en/function.base64-decode.php)

you may apply the same function n-times on the actual text and store it... so that anyone who looks the properties file will not get to know how many times they need to decode.
$string="sridhar";
$encodedStr=base64_encode(base64_encode($string));

echo base64_decode(base64_decode($encodedStr));

someone might update the thread with a better solution..
NogDog
06-12-2008, 12:58 PM
Save the file outside of your web document root directory, then include it (or otherwise access it) via the local file system. As far as encoding it, it probably does not really matter. If a hacker has gotten far enough in to access a file outside of the document root, then he also has access to the source code of the script that accesses it, and thus how to decode it.
jamesm6162
06-13-2008, 01:23 AM
Thanks guys.

What is the likelihood of someone obtaining access to outside of the document root?
NogDog
06-13-2008, 01:24 PM
On a dedicated server, it's directly proportional to the probability of them obtaining a login/password to your control panel or FTP access.

On a shared server, it's a bit more problematic depending on how the accounts are set up and what sort of security restrictions are in place, as someone else with access to that server (legitimate or hacked) might be able to run scripts via that account that look at other accounts. But if you are dealing with truly sensitive data, then it's probably time to get a dedicated host.

In either case, make sure you are using strong passwords and not sharing them with anyone who does not have a legitimate need to know.