All geek questions in one place

Secure storage of database credentials

Recently, a serious problem has occurred when my web host got messed up and all my php files were shown in plain text. This was a serious problem for me for obvious reasons. Mostly since the details of the mysql database have been exposed.

Now I'm trying to change the way my php files get information to enter the database so that it never repeats, even if the hosting company did not let me down.

My current setup is as follows:

include 'info.php'; class Login { var $host; var $username; var $password; var $db; var $url;

Inside info.php the username, password, etc. are indicated. for the database. I want to make sure that the info.php file is never viewed, and only my .php files have access to info.php to get login information.

How can I customize this? This is a little difficult to explain, so please don't be harsh and -1 to me for a poor description. Just ask and I will clear up all the gaps in my description.

+4
source share
3 answers

Just put info.php outside of your website. Thus, you can enable it, but if your web hosting f * # $ is up, no one else can view this file even in plain text.

Then you turn it on as follows:

include('../info.php');

Thus, even if someone finds out that you have a file called info.php that stores all your passwords, they cannot point their browser to this file.

Higher would be the ideal and most waterproof solution. However, if this is not possible due to permissions, another option would be to place all confidential files in the directory and block direct access to this directory using the .htaccess file.

In the directory you want to block access to, place the .htaccess file with the following contents:

deny from all

+5
source

If for some reason the xbonez answer does not work (say, a person does not have access to the non document_root folder). You can achieve the same using .htaccess

 <files info.php> order allow,deny deny from all </files>

This, theoretically (not verified), protects the file from being used in the browser, but does not block php from including the specified file.

+1
source

Create a form that redirects the file to the example "request.php" and includes it for all your requests. If your data is correctly redirected to a specific page, if they are not executed the same way. At the end of the switch is the anoreter redirection. Therefore, the user cannot see this page. Do not put the html tag or something - just logic.

-3
source

Source: https://habr.com/ru/post/1415263/

More articles:


All Articles