Where to Store Database Login Credentials for a PHP Application

Where to safely store database credentials within a PHP website

Common practices for this problem include putting the database credentials in a configuration file that is not PHP, such as a .ini file, and then reading that with PHP. To add extra security you should also put the configuration file outside of the web root, so that you can be sure no one can access the file by navigating directly to it.

For example, the Laravel framework (among others) define the web root in the /public directory, while outside that directory is a .env file containing database credentials among other settings.

Have a look here for more info: How to secure database passwords in PHP?

More importantly though, you should never have to worry about your PHP being served as plain text. Take the proper development precautions to ensure this never happens. Some starting points are:

Making sure you have PHP installed!
Make sure you open and close your tags properly
Make sure your file extension is .php and not .html (unless you use this work around)
Also make sure in production code that you aren't displaying errors on the page (display_errors ini)

Where to store database login credentials for a PHP application

I use an .ini-file, which is then parsed via parse_ini_file(INI_FILENAME_HERE, true).
This file isn't under version control (as are the php-/template-/whatever-files). So on every machine I create that file (.database.ini) for the respective database connection.

Example .ini-file for a MySQL-connection, using PDO:

[db_general]
driver = "mysql"
user = "USERNAME"
password = "PASSWORD"

; DSN
; see http://www.php.net/manual/en/pdo.drivers.php
[db_data_source_name]
host = "localhost"
port = 3306
dbname = "DATABASE_NAME"

; specify PDO-options, provide keys without PDO::
; see http://www.php.net/manual/en/pdo.drivers.php
[db_pdo_options]
MYSQL_ATTR_INIT_COMMAND = "SET NAMES utf8"

; specify more PDO-attributes, provide keys without PDO::
; see http://php.net/manual/en/pdo.setattribute.php
[db_pdo_attributes]
ATTR_CASE = "PDO::CASE_LOWER"
ATTR_ERRMODE = "PDO::ERRMODE_EXCEPTION"
ATTR_EMULATE_PREPARES = false

Since one can't use :: within .ini-file-keys, use constant('PDO::' . $iniKey) in your code to get the desired PDO-constants.

Best way to store database login credentials for a PHP web pages

I have used some frameworks like Yii, CodeIgniter and Django and all of them store the database connection in a file in plain text. For example in Yii is under protected/config/main.php. So theoretically it is safe to store your credentials this way. Of course you can take more measures like Yii that use an .htaccess to deny all access to the protected folder (hence the name protected)

In an ideal world only you (and your co-workers) have access to this file.

Where to store MySQL credentials in PHP scripts?

Your web root, which is $_SERVER['DOCUMENT_ROOT'] in PHP, is the folder on your filesystem that your webserver (in this case, Apache) points to for a particular host.

For example, if you put this code in your index.php file and visit your domain name (or subdomain name), it will tell you your web root.

    <?php
    header("Content-Type: text/plain;charset=UTF-8");
    die($_SERVER['DOCUMENT_ROOT']);
    ?>

It should say something like, /home/some_user/public_html or /var/www. In this case, you want to create a path that is not inside of this directory.

For example: /home/some_user/config or /var/webconfig.

You do NOT want to store it in /home/some_user/public_html/config (notice the public_html) or /var/www/webconfig (notice this is a subfolder of /var/www)

The idea of storing data outside your web root is that an attacker cannot navigate to http://yoursite.com/config/mysql.txt and obtain your passwords. LFI and directory traversal attacks are not in the scope of this initiative.

You also should not check any sensitive information (database credentials, encryption keys, etc.) into version control. Ever.

How to access them from PHP?

That depends how your configuration is encoded.

<?php
$config = parse_ini_file('/home/some_user/config/mysql.ini');
// OR
$config = json_decode('/home/some_user/config/mysql.json');
// OR
require_once '/home/some_user/config/mysql_config.php';
?>

Secure storage of database credentials

Simply place info.php outside your webroot. This way, you can include it, but should your web hosting f*#$ up, no one else can view that file, even as plain text.

You would then include it like this:

include('../info.php');

This way, even if someone finds out that you have a file called info.php that stores all your passwords, they cannot point their browser to that file.

The above would be the ideal and most watertight solution. However, if that is not possible due to permissions, the other option would be to place all sensitive files in a directory and block direct access to that directory using a .htaccess file.

In the directory you want to block off access to, place an .htaccess file with the following contents:

deny from all

How to secure database passwords in PHP?

Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.

The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.