Store MySQL connection data in a secure way

Question

Hello fellow web developers

I am developing website with PHP and MySQL and I need a secure way to store the MySQL connection data (i.e. host, username and password) in a secure way.

I have found many answers to this question, and the best one I found is to store them in the php.ini file. I also realized that the key of securing such data is to store them outside of your home directory (like htdocs if you are working with xampp or public_html if you are hosting your website somewhere).

I'm storing them now in the php.ini file, but I won't have access to it once I upload my website.

what should I do?

Answer 1

It's not necessary to put the credentials in php.ini. They're no more safe there than any other file outside your HTTP document location(s).

It's sufficient to store the connection parameters in any PHP file outside any directory that your HTTP requests can reach directly. I.e. don't put it in DocumentRoot or in any other Location that your HTTP server can reach.

And make sure your server itself doesn't get compromised. If someone can hack in and get direct access to files or processes on your HTTP server, the database credentials are not your greatest worry.

If you have no access to any folder outside your domain folder, can you at least set up a .htaccess file to deny from all so that no HTTP request can have direct access to the file (or directory) where you store private data? Of course PHP code can still read such files with include or require.