How to Secure Sql Password

Question

I am using SQL in my app so i have created php site to manege it. the problem is that the password required in mysqli_connect is the password to the main server (all the file maneger,mysql,etc). what is the best way to secure my password (sending it from the app or wirte it down explicitly in the php source file). Other suggestions?

Answer 1

First up: Make a new account for your application with only the privileges required for your app!

Second: Put the in a file somewhere on your system locked down as best as possible. There are things you can do to obfuscate the password further, but in the end you will end up with a plaintext something which can be used to work your way back to the database credentials. So to be clear:

1. Use a database account with minimum privledges needed to run the app.
2. Manage security to the config file holding the password as best as possible (only the user running the service and admin should have access), keep it outside the webroot.
3. Just refreshed the other answer - the advice by @FritsVanCampen is also dead on.

Answer 2

There are many ways, but in general: put it in a file that is outside of the webroot, or a file that is otherwise unreadable from the outside. ie. a PHP file that gets executed will not expose it's source.

If you're using Apache you can store it in a file named .htsomething because Apache, by default, blocks access to any file starting with .ht*

You can store it in a file named secret.txt and block access to it by added an .htaccess RewriteRule.

For my projects I store settings in a JSON file that is outside of the webroot. One major advantage of this approach is that other applications, like a deploy or monitor tool, can read and easily generate this settings file. And it's also clean, you can't do any programming in JSON.