Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hide mysql password and username in php script

Status
Not open for further replies.
CoffeeQuick

CoffeeQuick

Programmer
Jul 6, 2004
23
0
0
GB
I am new to PHP and mySql.

I have writen a script (using the db.php PEAR extension) to access a database, but the username and password to connect to the database are imbedded in the script for anyone to find.

Does anyone know how to securely hide this information.

I have tried searching via Google and have not come up with any useable answers to this problem.

One I found suggested putting the username etc, in the php configuration file on the server and getting them as system variables (php_value mysql.default_user etc..), but I don't appear to have access to this file on my hosts server.

Thanks.
 
Sort by date Sort by votes
Under normal circumstances, a user with a web browser will never see your PHP source code, just the output of the script. However, if you want to guard against web server mismanagement, place the credentials in a separate file that is outside the document root of the current web site and include that file. include() and require() will both operate on any part of a web server's filesystem, not just the document root.

If you want to guard against a user's gaining access to your source code through a command prompt (on the console or through telnet or ssh), then something like Zend Encoder, Turck MMCache will convert your code into a version that PHP can run, but is not human-readable.

If you want to guard against a determined, experienced user's gaining access to a command prompt, there is not a heck of a lot you can do. This is true not only of PHP but of nearly every language.


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Thanks for your response sleipnir214,

I will put the credentials in a separate file as you suggest,
and have a look at using Zend Encoder etc..
 
Upvote 0 Downvote
One more thing:
The MySQL user you use for web access should be tightly restricted to
+) access the server only from the web server
+) access only the databases/tables rerquired
+) hold only the privileges required

That way you safeguard that even if your username and password were exposed the attacker would have to use the PHP on your own server to access the database. Inside then only the tables you specified for the MySQL user would be exposed.

Just for fun:
We operate in a distributed PHP environment and provide our departmental customers with access to a MySQL database. We have a connection module that evaluates the script location and hands back a MySQL link handle. The customer never needs to know ther password or username. The connection module is encoded using the Zend Encoder. Passwords and usernames are stored on a different system and retrieved using UNIX domain sockets.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
120
SashaBuilder3
SashaBuilder3
lexer
  • Locked
  • Question
Join two mysql tables for populate datatable
Replies
3
Views
99
spamjim
spamjim
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
109
PeDa
PeDa
ersatz
  • Locked
  • Question
How to send 2 select from mysql database in email like tables
Replies
5
Views
152
ersatz
ersatz
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
121
vishvajit
vishvajit

Part and Inventory Search

Sponsor

Back
Top