How to protect MySQL username and password

I use php Mysql for my website.
I've created a php file called constants.php and included my database username and password in that file.
If someone is able to see the contents of this file, he can easily access my database. How can I improve the security and prevent hackers from accessing my username/password?

<?php

define("DB_SERVER", "servername");
define("DB_USER", "myusername");
define("DB_PASS", "mypassword");     <----- Plain and visible
define("DB_NAME", "dbname");

?>
seekinG1Asked:
Who is Participating?
 
NerdsOfTechConnect With a Mentor Technology ScientistCommented:
CHMOD your folders appropriately if you are worried about shared server hacking.

Use appropriate .htaccess conventions when applicable to avoid serving the file directly in the raw. Such as:

Order deny,allow
Deny from all

avoid using common filenames (like password.php) for storing sensitive information AND
implement script side authentication in your includes when possible such as session verification.

Use best practice security and keep up-to-date with best practice security techniques.

Always use hosts that are trustworthy.

When in doubt of server-side security, if you can afford it, use a dedicated server.

=NerdsOfTech
0
 
czajkozCommented:
Don't allow to connect remote hosts to it only local hosts can connect to the database and if anyone could see the password he won't connect because the mysql server is listening only on localhost
0
 
SordSordCommented:
The basic problem is: you want your PHP script to access the database, but you don't what someone who knows everything your PHP script knows (i.e.the see the PHP file) to be able to access the database.

That means that access to the database needs to be controlled by something that your PHP script doesn't know about. One possibility is to use IP address restrictions on the MySQL side, so only requests directly from your web server are allowed. They could still get the password, but it wouldn't be of any use to them unless they also have control of your web server (this assumes that your MySQL password is not something you use elsewhere).
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
FerrostiCommented:
1) restrict access in your file system to admin (root) and webservices only
2) keep PWD and Username enclosed in PHP code (not too good, see next)
3) the file must be named *.php and the php interpreter has to interpret it always (webserver settings)
4) no directory index (webserver setting)
5) disable php error output to html, catch all warnings, errors etc.

In this case php will always interpret the file and since you do not print the variables values to any kind of output it will never be handed out. In case someone gains control over your file system and might access your script in plain text you will be in even more trouble than this.
0
 
seekinG1Author Commented:
Thanks guys for the comments. This is my first site and I am learning my way through. Could you explain more on how to implement the solutions?

Am I better off learning a new way (accepted standard way) of storing and securing the username/passwords for the mysql connection?

I also looked at the hosting site and they have Hotlink Protection using the .htaccess. I'm thinking of securing this file this way as well.
0
 
FerrostiCommented:
.htaccess is one way to go, though not the most secure.

I could only copy some howtos to tell you how it works. As you would like to learn by yourself how it works, you should look around for some howtos.

Point 1 throu 3 should be clear, AFAIK directory index can be set in your .htaccess config and something you should have a closer look at is error-handling. You can google all these terms very easily.
0
 
kumaranmcaConnect With a Mentor Commented:
Make encrypt the value and decrypt value...its also one kind of secure..

like

base64_encode();

base64_decode();

mcrypt_ofb — Encrypt/decrypt data in OFB mode
0
 
seekinG1Author Commented:
more clear steps or some external links would add value
0
All Courses

From novice to tech pro — start learning today.