Security Risk - Database Username and Password

This topic is locked

Security Risk - Database Username and Password	9/17/2006 6:13:29 PM
PHPRunner General questions
M MikeB941 author Hello: Just checking with you all on this... Usually when using PHP and MYSQL, I place the database login information (username and password) in an include directory that is NOT accessible to the outside world (i.e. NOT in the public HTML directories) and add this "non-reachable" directory to the PHP search path for include statements. This protects the outside world from reading the include file and acquiring the database username and password. I happened to notice the database username and password appears in dbcommon.php in a publicly accessible include directory and is avaiable for READ to the outside world. Please let me know if I'm wrong about this. Take Care... Mike.

Mark as Solved Mark as not solved

2 replies


J	jenolan 9/17/2006
	Please let me know if I'm wrong about this. On shared hosting it is possible that another shared site will gain access to the file for open() but in this case it would also be able to open the file whereever it is. All I do is remove the login move it to another area (non-web) and include it, sure everytime you rebuild you have to do the edit again but being security paranoid like me you learn to put up with it <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=11130&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' />


	Alexey admin 9/19/2006
	Mike, there is no need to remove php files from the web-accessible folders. It's impossible to read the PHP file contents from the Web, so your database username and password are secured.

2 replies

Mark as Solved Reply