How to protect MySQL username and password

I use php Mysql for my website.
I've created a php file called constants.php and included my database username and password in that file.
If someone is able to see the contents of this file, he can easily access my database. How can I improve the security and prevent hackers from accessing my username/password?


define("DB_SERVER", "servername");
define("DB_USER", "myusername");
define("DB_PASS", "mypassword");     <----- Plain and visible
define("DB_NAME", "dbname");

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don't allow to connect remote hosts to it only local hosts can connect to the database and if anyone could see the password he won't connect because the mysql server is listening only on localhost
The basic problem is: you want your PHP script to access the database, but you don't what someone who knows everything your PHP script knows (i.e.the see the PHP file) to be able to access the database.

That means that access to the database needs to be controlled by something that your PHP script doesn't know about. One possibility is to use IP address restrictions on the MySQL side, so only requests directly from your web server are allowed. They could still get the password, but it wouldn't be of any use to them unless they also have control of your web server (this assumes that your MySQL password is not something you use elsewhere).
1) restrict access in your file system to admin (root) and webservices only
2) keep PWD and Username enclosed in PHP code (not too good, see next)
3) the file must be named *.php and the php interpreter has to interpret it always (webserver settings)
4) no directory index (webserver setting)
5) disable php error output to html, catch all warnings, errors etc.

In this case php will always interpret the file and since you do not print the variables values to any kind of output it will never be handed out. In case someone gains control over your file system and might access your script in plain text you will be in even more trouble than this.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

seekinG1Author Commented:
Thanks guys for the comments. This is my first site and I am learning my way through. Could you explain more on how to implement the solutions?

Am I better off learning a new way (accepted standard way) of storing and securing the username/passwords for the mysql connection?

I also looked at the hosting site and they have Hotlink Protection using the .htaccess. I'm thinking of securing this file this way as well.
.htaccess is one way to go, though not the most secure.

I could only copy some howtos to tell you how it works. As you would like to learn by yourself how it works, you should look around for some howtos.

Point 1 throu 3 should be clear, AFAIK directory index can be set in your .htaccess config and something you should have a closer look at is error-handling. You can google all these terms very easily.
NerdsOfTechTechnology ScientistCommented:
CHMOD your folders appropriately if you are worried about shared server hacking.

Use appropriate .htaccess conventions when applicable to avoid serving the file directly in the raw. Such as:

Order deny,allow
Deny from all

avoid using common filenames (like password.php) for storing sensitive information AND
implement script side authentication in your includes when possible such as session verification.

Use best practice security and keep up-to-date with best practice security techniques.

Always use hosts that are trustworthy.

When in doubt of server-side security, if you can afford it, use a dedicated server.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Make encrypt the value and decrypt value...its also one kind of secure..




mcrypt_ofb — Encrypt/decrypt data in OFB mode
seekinG1Author Commented:
more clear steps or some external links would add value
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.