avoid db credential exposure

How can a hacker get my db credentials if I keep them in a php file at the root?

Please check here for discussion  http://phpsec.org/projects/guide/3.html

is said that

"...Potential problems arise when this file is somewhere within document root. This is a common approach, because it makes include and require statements much simpler, but it can lead to situations that expose your access credentials.
Remember that everything within document root has a URL associated with it. For example, if document root is /usr/local/apache/htdocs, then a file located at /usr/local/apache/htdocs/inc/db.inc has a URL such as http://example.org/inc/db.inc.
Combine this with the fact that most web servers will serve .inc files as plaintext, and the risk of exposing your access credentials should be clear. A bigger problem is that any source code in these modules can be exposed, but access credentials are particularly sensitive...
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Don't use the 'inc' extension.  Programs like phpMyAdmin and others use 'config.inc.php'.  That tells you what it is but if anyone types that link, it runs thru the PHP interpreter and does not display anything.
myyisAuthor Commented:
Yes but my question  is what happens  if I keep it in a php file (dbconn.php) and put it at the document root.
How can a hacker can get the db credentials?
it is  said  "...Potential problems arise when this file is somewhere within document root..."
Dave BaldwinFixer of ProblemsCommented:
The hacker would have to break into your server.  If it is shared hosting, the hosting company is supposed to take care of that.  Also, on most shared hosting, you have no other place to put your files.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

myyisAuthor Commented:
If the hacker can break into the server, s(he) can "somehow" reach to the files that are not at the document root.
Meaning that keeping dbconn.php at the document root is not  less secure than putting it to any other place.
So the suggestion below is useless even you have a dedicated server.

Am I wrong?

At the link  (http://phpsec.org/projects/guide/3.html) suggested this:

 "...Create a file, /path/to/secret-stuff, that only root can read (not nobody):
SetEnv DB_USER "myuser"
SetEnv DB_PASS "mypass"
Include this file within httpd.conf as follows:
Include "/path/to/secret-stuff"
Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in your code...
Dave BaldwinFixer of ProblemsCommented:
If a hacker can break into your server, they will do it as 'root' and be able to reach anything and everything.

I'm not sure that 'suggestion' works because the web server does not run as 'root'.  It runs as a very limited user to prevent accidental access outside the web root directories.

Your 'first line of defense' is to use the 'php' extension for your files to make sure they run thru the PHP interpreter and can't read as plain text over the web.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
Ask your hosting company for their advice.  You will probably find that it is the same as Dave Baldwin's advice -- parse all of your scripts through PHP.  There are well-known "best practices" for this sort of thing, and people stealing your database credentials from a reputable hosting company are an extreme and bizarre edge case.  More likely, you will find this sort of problem comes up when a novice installs an insecure WordPress plugin.  Truth: This is not a problem in the real world!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.