Reputation: 51
PHP: How to hide the password for database connection/email connection statement?
I have a website developed in PHP. There are 2 classes (in 2 seperate php files) that contain the siteadmin's gmail user id and password (in plain text) and database password (again in plain text). Though none of these classes are displayed on the browser ( like index.php). These files contain only php classes and no html code and the references to those plain text passwords is only through objects of those classes. Off late, I have started to wonder if this is secure enough? I have tried my best (acting as a malicious person) to try and read the contents of the two said php files but was not able to do so. I am not very conversant with developing secure code, so not sure what should be my approach to make sure that these passwords never get exposed. Could any one please suggest best practices to develop php code that can contain such sensitive information securely.
Upvotes: 5
Views: 2451
Answers (3)
Reputation: 48256
Don't store passwords in files, because someone will eventually check that file into source control. Or someone will set a permission incorrectly.
Run the application with its own O/S user account
Put the passwords in an O/S environment variable for the application user (not a system environment variable)
Upvotes: 0
Reputation: 29629
Firstly, I'd look at using OAuth for accessing GMail if at all possible - it means you don't have to store credentials at all, and provides some level of protection in case your server does get compromised.
I would also look at the answers to this question.
Finally, if your site is on the public internet, it's worth reading up on at least the basics of internet security, and especially securing web applications. There are all sorts of ways things can go wrong. I like the "hacking exposed" books.
Upvotes: 0
Reputation: 1176
- Put configurable items in a separate configuration file, above your public web directory
- Make sure you have set correct file permissions to your files
- Check your web application for local (and remote) file inclusion
- Have your server up-to-date
Having your passwords at a safe spot is not the complete solution, you'll need to have your complete PHP application secure, and nobody unauthorized should be able to get root/administrator access to the server.
Upvotes: 4
Related Questions
- How to hide password in configuration files
- How to secure database passwords in PHP?
- How to use database password?
- hide mysql password in php file
- PHP: Securing database connection credentials
- How can I avoid hardcoding the database connection password?
- How to modify PHP password connection to the database?
- How could we use a password which is not stored anywhere for accessing DB
- PHP how to secure password in database
- Issues hiding password to MySQL Database in PHP file