40

My connection.php file stores the credentials to connect to the database:

<?php 
 $objConnect = mysql_connect("localhost","username","password"); 
 mysql_select_db("selectDB", $objConnect);
?>

When a page need to connect the database I just use <?php include("connection.php"); ?>.

Is this safe? Can hackers steal my credentials from that file?

Anders
65.9k25 gold badges188 silver badges227 bronze badges
asked Apr 1, 2012 at 15:52
2
  • 4
    So every PHP web application does this... Commented Apr 1, 2012 at 16:34
  • 2
    This is about as secure as you can hope to get... which isn't really particularly secure at all.. but there you go. Commented Apr 2, 2012 at 1:44

4 Answers 4

44

My recommendation: Don't store passwords in source code.

Instead, store them in a configuration file (outside of the web root), and make sure the configuration file is not publicly accessible. The reason is that you normally don't want to keep your passwords checked into the source code repository or exposed to everyone who can view files in your web root.

There is an additional risk with storing passwords in a .php file within your webroot, which is a bit obscure but can be easily avoided by placing the file outside of your web root. Consider: if you are editing connection.php using a text editor, and your connection drops while you are editing it, your editor will automatically save a copy of the connection.php file in some backup file: e.g., connection.php~ (in the same directory). Now the backup file has a different extension, so if someone tries to fetch that file, the Apache server will happily serve up a copy of the file in plaintext, revealing your database password. See 1% of CMS-Powered Sites Expose Their Database Passwords for details.

See also How do open source projects handle secure artifacts?, Open Source and how it works for secure projects?

answered Apr 2, 2012 at 1:27
6
  • 3
    +1 I like this answer the most. But I need to note that places outside of web root are still accessible on websites with local file inclusion vulnerabilities. Well the hacker would still need to guess the location. Commented Apr 2, 2012 at 3:02
  • Exactly. Most of the risks are not around storing the password somewhere on disk, but around the differences in how you use/treat source code files vs. configuration files. This is something of a human problem rather than a technological one. +1 Commented Mar 15, 2018 at 21:04
  • You're all suggesting to store credentials outside wwwroot. Ok, I understand the security background. But how should it be stored in version control then (sample config)? Usually wwwroot is the root of git repo, so if there is anything outside - it will be outside of VC. Imagine new developer trying to set up a local instance for development - how should he know magic like "take this file, copy it outside and fill in"? Commented Aug 10, 2018 at 18:18
  • 1
    @TheGodfather, that's a separate question, and should be asked separately. But do some research first (including reading the links I gave) -- I think it's been answered in a bunch of places. One approach is to put the secrets in a separate config file, and don't store that config file in version control. Indeed, passwords and crypto credentials should probably not be stored in version control, but should be managed in a different way. Commented Aug 10, 2018 at 19:39
  • I did before posting a comment. If your config (or sample config) is not in VC then it's kind of "sacred knowledge" so noone really knows how to configure your app. You shoudn't store actual credentials in VC, but you should store config file itself. Having readme like "create file in this random place on filesystem and fill it in with values" is not really helpful here. Commented Aug 10, 2018 at 19:44
12

It's reasonably safe. To get the content of the php file, a hacker needs to compromise your server, or you need to mis-configure it.

Still I recommend configuring mysql so that the user used by the script isn't accessible remotely, and use a different user for administrative remote access.

answered Apr 1, 2012 at 16:02
2
  • I wouldn't even allow remote admin - route access via phpmyadmin with appropriate controls (SSL + preferably running on a dedicated port) or even better only allow access via ssh then mysql client over filesystem socket. Commented Apr 2, 2012 at 14:05
  • feross.org/cmsploit Commented Jun 7, 2020 at 9:52
7

The problem comes if you have a PHP script that possibly downloads the files on your server e.g download.php?=index.php.

If you check Google, you will see that this vulnerability exists within many other sites.

Limit
3,2861 gold badge20 silver badges36 bronze badges
answered Apr 1, 2012 at 18:59
6

The /etc/php/N.m/apache2/php.ini already contains a section to store the MySQL username and password, if mysqli is used:

[MySQLi]
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =

This password can be easily read via php get_cfg_var method

  • echo get_cfg_var("mysqli.default_pw")

It could be an security issue if the hacker can get the php permission.

We can config the password with a customized key so hacker need to guess the key, like:

my_raldfklg_random_key_pw=top-secret-password

So in the php code we can load the password via

  • echo get_cfg_var("my_raldfklg_random_key_pw")
answered Jun 21, 2021 at 7:30
2
  • Is there something like this for being able to connect to MongoDB Commented Sep 29, 2021 at 20:46
  • 2
    @user2402616 There is no MongoDB section, well we can add a new key for mongodb in the php.ini's standard section. like: mongodb_dflkjadkfl_username=... and mongodb_dflkjadkfl_password=..., then get the value via get_cfg_var("mongodb_dflkjadkfl_username") and get_cfg_var("mongodb_dflkjadkfl_password") , where dflkjadkfl is some random text and you can change to whatever others Commented Oct 4, 2021 at 17:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.