Security for MySql connection

[jisoo23]

This is probably a question that's been asked over and over but I haven't been able to find it while searching this forum =/

I've separated my database connection functions to a separate PHP page from the data logic. I have a concern that since the database username and password are written in plain text there, it could be a security risk. I've read that changing it's file permissions should do the trick but when I changed them to local user read-only my PHP pages can't reach it. Does anyone know what I should change it to? My web hosting provider is running Linux, right now that file is set to r--r--r--.

Thanks,
Jisoo23

 

[DRJ478]

It sems more important to me that you put database connection code into a location that is outside of the Web root. That way it is not possible for anyone to get there through the web server. The permissions must include read access for the web server that runs the PHP.
A very important measure of security is to restrict the MySQL user to only connect from localhost or the IP of your actual web server (in MySQL user definition).

The only way to make it more secure is to obfuscate the connection information or use a commercial encoding system such as the Zend Encoder.