1

*This question is for NON-local host's. *I am using a web-host service. NOT my personal server.

To use mysql_connect, to connect to a database's server, one needs to create a php file and save it in the web host's server. This file must have (within the code) the server's address a user name and PASSWORD:

**$conn = mysql_connect("server", "username", PASSWORD);**

Anyone who view's the page's code and downloads this php file can see the password, which is a security risk.

HOW CAN I SAFEGUARD MY DATABASE' SERVER' PASSWORD?

Omar
  • 11
  • 1

1 Answers1

3

You really don't have any good options for protecting the database password. You should make sure that the user/password combination only have access to the parts of your database necessary to make your web application run. In other words, don't make it the root password. If you have other databases not used by the web application, they should have different login credentials.

Unless the web server is misconfigured, it is not possible for anyone to download the PHP file to view the code. You should also, if possible, place the file containing the login credentials outside the web server's document root and include() it, lessening the chance that it could be accidentally exposed by a misconfigured web server.

This is a question of trusting the system administrators of your hosting company.

If you search around, you may find examples of attempts to store the encrypted credentials on another server and retrieve them at runtime via an encrypted connection, but still the keys to decrypt the information need to be held on the web server and are therefore accessible to the system administrators.

If your web host makes your files available to other clients/customers rather than partitioning them where they're only available to you, you should find a new host immediately.

Michael Berkowski
  • 267,341
  • 46
  • 444
  • 390