[Solved] How to safely connect to a database [closed]


Your web server will be configured to process certain file types. For example, when you load a PHP page, it doesn’t (or shouldn’t) output the PHP to the screen — instead it processes it.

You have a couple good options for protecting this information.

1) Store the details in a PHP file as variables (you are most likely doing this). A lot of times, these will be in an array:

$dbParams = array(
   'database' => 'my_db',
   'host'     => 'localhost',
   'username' => 'my_web_user',
   'password' => 'abc123',
);

As long as you never output the $dbParams variable, you are fine.

2) Another option is to use something like you see above, but instead of literal values, you pull in environment variables.

$dbParams = array(
   'database' => $_ENV['myapp_db_name'],
   'host'     => $_ENV['myapp_db_host'],
   'username' => $_ENV['myapp_db_username'],
   'password' => $_ENV['myapp_db_password'],
);

Then in your server configuration, you would set those environment variables to whatever you need. In this way, if for some reason PHP stopped working and it started outputting your web files as plain text, they would never see your sensitive information. You will also notice I namespaced the environment variable. This is a good idea as they are global and if you just used something like host you would most likely have a collision.

[EDIT]

Reading your updated comments, it sounds like you are worried about files on your local computer — not a webserver. You should take the precautions necessary to secure your local computer from remote access as you would normally (i.e. firewall, virus scanning to hopefully prevent trojans, etc.). In reality, unless you are Facebook or Google, people probably wouldn’t really care what your local database password is.

0

solved How to safely connect to a database [closed]