Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Greg Beaver's Blog:
Protecting a MySQL user/password in a PHP script
Apr 03, 2006 @ 07:37:38

Greg Beaver has posted some tips he has (with a few updates along the way) about protecting your MySQL username and password in a PHP script, hiding the plain-text version from would-be attackers.

Two days ago, I gave a talk at the University of Nebraska-Lincoln's computer science department colloquium on open source. At the reception preceding the talk, one of the students asked if there was a good way to protect the user/password of his MySQL scripts. This is an issue I have never run up against because we have a unique IP on the webhost, and it doesn't matter whether someone knows the user/pass, they can only connect directly from that host (and if someone can hack into the host, I doubt the database is the only thing that will be compromised).

The dilema was caused by the shared hosting of the students' sites and the plain-text storage of their database user/pass in a Wordpress file. Greg suggested two methods, one where each user gets their own Apache space, and another where the password is stored in a read-only file that just the server has access to.

Chris Shiflett came back with a comment, however, about another, more secure mthod - using an .htaccess that only the user can work with (and can change at any time) containing and setting Apache environment variables the script could then pull.

tagged: protecting database login password htaccess protecting database login password htaccess