Database settings security

I've got a file on my site called dbSettings.php with the lines:

<?php
    $host = "localhost";
    $dbName = "database";
    $user = "user";
    $pwd = "pass";
    $db = new mysqli($host, $user, $pwd, $dbName);
?>

I get this page into my main page with the require_once() function. Is there ANY way for someone who's reaching this page through the server(my domain) to get a hold of the values stored in these variables? Is this a secure way to keep the database settings?

Answers


This is a common way to keep database credentials in php applications. Generally a config file would keep those settings some good practices are

  • Proper file permissions to the file such as chmod the file 640 instead of 600. Keep file ownership to your user and change group to webserver. This way, the webserver can only read and not modify it
  • Move file out of webroot so its not accessible directly by others
  • Only give needed database privileges to that database user If user just needs to access one database only give privileges for that database and data not give Structure or Administration related privileges if not needed
  • If possible protect with .htaccess <files dbSettings.php> order allow,deny deny from all </files>

Need Your Help

Activity as a intent receiver to just start another and quit

android android-activity

My app can be called from different intents, specifically from Android TV. I have created a special activity for this with the proper intent filter in the manifest. (If that intent (TV) were starti...

Animating GIF image throws exception

delphi animated-gif delphi-xe7

I'm trying to animate a GIF image in XE7, but when I set the Animate property to True an exception is raised.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.