avoid db credential exposure

How can a hacker get my db credentials if I keep them in a php file at the root?

Please check here for discussion  http://phpsec.org/projects/guide/3.html

is said that

"...Potential problems arise when this file is somewhere within document root. This is a common approach, because it makes include and require statements much simpler, but it can lead to situations that expose your access credentials.
Remember that everything within document root has a URL associated with it. For example, if document root is /usr/local/apache/htdocs, then a file located at /usr/local/apache/htdocs/inc/db.inc has a URL such as http://example.org/inc/db.inc.
Combine this with the fact that most web servers will serve .inc files as plaintext, and the risk of exposing your access credentials should be clear. A bigger problem is that any source code in these modules can be exposed, but access credentials are particularly sensitive...
Who is Participating?
Dave BaldwinFixer of ProblemsCommented:
If a hacker can break into your server, they will do it as 'root' and be able to reach anything and everything.

I'm not sure that 'suggestion' works because the web server does not run as 'root'.  It runs as a very limited user to prevent accidental access outside the web root directories.

Your 'first line of defense' is to use the 'php' extension for your files to make sure they run thru the PHP interpreter and can't read as plain text over the web.
Dave BaldwinFixer of ProblemsCommented:
Don't use the 'inc' extension.  Programs like phpMyAdmin and others use 'config.inc.php'.  That tells you what it is but if anyone types that link, it runs thru the PHP interpreter and does not display anything.
myyisAuthor Commented:
Yes but my question  is what happens  if I keep it in a php file (dbconn.php) and put it at the document root.
How can a hacker can get the db credentials?
it is  said  "...Potential problems arise when this file is somewhere within document root..."
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Dave BaldwinFixer of ProblemsCommented:
The hacker would have to break into your server.  If it is shared hosting, the hosting company is supposed to take care of that.  Also, on most shared hosting, you have no other place to put your files.
myyisAuthor Commented:
If the hacker can break into the server, s(he) can "somehow" reach to the files that are not at the document root.
Meaning that keeping dbconn.php at the document root is not  less secure than putting it to any other place.
So the suggestion below is useless even you have a dedicated server.

Am I wrong?

At the link  (http://phpsec.org/projects/guide/3.html) suggested this:

 "...Create a file, /path/to/secret-stuff, that only root can read (not nobody):
SetEnv DB_USER "myuser"
SetEnv DB_PASS "mypass"
Include this file within httpd.conf as follows:
Include "/path/to/secret-stuff"
Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in your code...
Ray PaseurCommented:
Ask your hosting company for their advice.  You will probably find that it is the same as Dave Baldwin's advice -- parse all of your scripts through PHP.  There are well-known "best practices" for this sort of thing, and people stealing your database credentials from a reputable hosting company are an extreme and bizarre edge case.  More likely, you will find this sort of problem comes up when a novice installs an insecure WordPress plugin.  Truth: This is not a problem in the real world!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.