Reputation: 2815
PHP security: store connection details in constants or private properties?
I was wondering if it's better to store connection variables as constants (because they can't be changed) or as private properties (because they can't be viewed). My apologies to all those who reel in horror at my lack of security nous...
Upvotes: 6
Views: 779
Answers (2)
Reputation: 6485
I think it doesn't matter; your code should be protected both from code injection and viewing. If someone will have access to somehow inject code into your system accessing connection strings seems like a smaller problem then that.
Upvotes: 0
Reputation: 132254
My thoughts are that it really doesn't matter (from a security point of view). If someone has your code, then you are equally screwed either way. If someone doesn't have your code, then it doesn't matter because they can't execute it without the code for it to be an issue (if you have remote code execution vulnerabilities, you have larger issues than your connection strings).
From a design point of view, I'd probably use a private constant.
Upvotes: 3
Related Questions
- PHP Class Constants - Public, Private or Protected?
- PHP - when to use private static properties in the class
- PHP downsides of storing mysql PDO connection using define
- Is it good or bad to store the DB connection details with define()?
- Should a PHP app store configuration data in defined constants or a database?
- Global connection variable or new one every time
- Is it wise to define connection variables?
- constant vs properties in php?
- user defined constants from db vs. from file
- PHP - define constants versus using config.ini