1

What's the best practice to store database credentials in a CMS? Now I declare them in my Database singleton class:

$this->credentials = array("hostname"=>"hostname", "username"=>"username","password"=>"password", "database"=>"database");

But it's not so intuitive to search where to change them and also I'm planning to make install file for cms later.

Where and how do you store your connection preferences?

Rob Baillie
  • 3,436
  • 2
  • 20
  • 34
Deniss Kozlovs
  • 4,761
  • 2
  • 28
  • 35

3 Answers3

1

CakePHP uses a config file called database.php (in /app/config/), in which a DATABASE_CONFIG class is declared:

class DATABASE_CONFIG {

    var $default = array(
        'driver' => 'mysql',
        'persistent' => false,
        'host' => 'localhost',
        'login' => 'user',
        'password' => 'password',
        'database' => 'database_name',
        'prefix' => '',
    );

    var $test = array(
        'driver' => 'mysql',
        'persistent' => false,
        'host' => 'localhost',
        'login' => 'user',
        'password' => 'password',
        'database' => 'test_database_name',
        'prefix' => '',
    );
}

This creates a single place where the user can set all their database configurations while the intuitive directory structure makes it obvious where database configurations are stored. And you can also specify multiple configurations for production, development, and testing purposes, which are easy to switch between.

Calvin
  • 4,559
  • 1
  • 25
  • 23
  • This is the typical approach to storing such configuration information. Sometimes .ini or XML formats are used instead, but the idea is the same. – Kalium Apr 03 '09 at 07:39
  • One note: if you use .ini /.xml you must block access to them with .htaccess, otherwise everybody will be able to see them. – Alekc Apr 03 '09 at 07:51
  • Yes, and I would not place those xml and ini files in root - I would still prefer then as config.php.mycustomextension or config.php rather than an xml or ini or txt - despite htaccess - I never trust it. – TheBlackBenzKid Feb 20 '12 at 10:41
1

As a general rule, I don't put credentials directly into the source code, but store them in configueration files. That makes it much easier to change them, for example when you are moving from your development machine to the test machine, which may (should) connect to a different database.

This configuration file should be stored somewhere outside the webroot directory.

You can also encrypt the password in some way, to have a little more security in case the config file does get compromised. On the other hand, if somebody gets physical access to your server, you're screwed anyway, so it may not be worth it.

Treb
  • 19,903
  • 7
  • 54
  • 87
1

You can use a singleton class, as you mentioned, or something simpler.

In all my config.inc.php files I have a standard associative array

$config['Main_Database'] = '';
$config['db_user'] = '';
$config['db_pass'] = '';
$config['db_host'] = '';

The concept is the same and you're on the right track. Make it something that, as a human, makes sense to you. If someone has access to your server your screwed anyway so it's not a big deal in terms of what is more secure.

As for the install file, I've seen many apps open the config file, adjust a few specific parts via the code and then actually re-write the file back to the server (rather than "store a setting"). It achieves the same result but done through a wizard as opposed to manually.

jerebear
  • 6,503
  • 4
  • 31
  • 38