Best Way to Connect to MySQL with PHP Securely

PHP & MySQL connection more secure

I am pretty sure that your host Provider is not parsing the PHP files, because it would not be possible to download the sources if they'd pass the interpreter.

Make sure you have PHP installed, configured and activated, contact your provider's support in case of questions. The easiest way to test this is to upload a file:

test.php

<?php phpinfo(); ?>

To protect a file it's enough to put the your database config php outside of public_html, html or htdocs directory (one of these is most likely to be your document root), where you still can include(); it via PHP.

Other solution is to protect the file via .htaccess where you put something like that inside the file and upload it to your document_root:

<Files db_config.php>
deny from all
</Files>

To add a little more security,
you can protect the db_config.php by adding this on top:

if (!defined('IN_MY_PROJECT')) {
die('forbidden');
}

and put this on top of your index.php:

define('IN_MY_PROJECT', true);

mysql/php is this a secure way to connect to mysql DB?

The reason you should consider putting this file outside the web root is that some hosting providers have temporarily stopped interpreting PHP from time to time (due to configuration faults, often after an update on their part). The code will then get sent in clear text and the password will be out in the wild.

Consider this directory structure, where public_html is the web root:

/include1.php
/public_html/index.php
/public_html/includes/include0.php

Now consider this index.php:

<?php
include('includes/include0.php');
do_db_work_and_serve_page_to_visitor();
?>

If the web server starts serving this file in the open, it won't take long before someone tries to download include0.php. Nobody will be able to download include1.php, however, because it's outside the web root and therefore never handled by the web server.

Store MySQL connection data in a secure way

It's not necessary to put the credentials in php.ini. They're no more safe there than any other file outside your HTTP document location(s).

It's sufficient to store the connection parameters in any PHP file outside any directory that your HTTP requests can reach directly. I.e. don't put it in DocumentRoot or in any other Location that your HTTP server can reach.

And make sure your server itself doesn't get compromised. If someone can hack in and get direct access to files or processes on your HTTP server, the database credentials are not your greatest worry.

If you have no access to any folder outside your domain folder, can you at least set up a .htaccess file to deny from all so that no HTTP request can have direct access to the file (or directory) where you store private data? Of course PHP code can still read such files with include or require.

Secure way to connect to a MySQL database

I'd outsorce the login-data into a file called something like "dbConnection.inc.php" and store it in a directory not accessible from outside.

In extreme cases it could happen that your provider serves .php pages as plain text. If that happens visitors could see your password. But if it's outsorced you'd prevent that...

How do I make my database connection secure?

You should put your database credentials in a file outside of the document root, so if something messes up and your PHP gets shown to users un-parsed, no-one will be able to see your password.

Have a look at this article on the subject this article on the subject:

The solution is simple. Place all sensitive data outside of your web server’s document root. Many experts now advocate placing most, if not all, of your php code outside of your web server’s document root. Since PHP is not limited by the same restrictions are you web server, you can make a directory on the same level as your document root and place all of your sensitive data and code there.



Related Topics



Leave a reply



Submit