[pmwiki-users] Keeping MySQL passwords safe

Ben Stallings ben at interdependentweb.com
Thu Apr 10 11:56:57 CDT 2008


Julius wrote,
> While installing the UpdateForm recipe (for interfacing with a mysql
> database), I bumped
> into a security issue. On
> http://www.pmwiki.org/wiki/Cookbook/UpdateForm is says:
> 
>  3. Define (either in the script or in config.php) the constants
> DB_SERVER, DB_NAME, DB_USER,
>  and DB_PASS to match your database, like so:
> 
>   define ('DB_SERVER', 'db1.example.com');
>   define ('DB_NAME', 'my_database');
>   define ('DB_USER', 'my_username');
>   define ('DB_PASS', 'my_password');
> 
> But I prefer to not store these inside my web/doc root.
> What is the best option to do this then?
> 
> Should I best put
> 
> require_once("../dbinclude.php");
> 
> in /local/config.php or in updateform.php ?
> where dbinclude.php is:
> <?php include("/home/path_to_dbase_access_variables_stuff.php"); ?>
> 
> or will the require_once cause trouble and should I use the include directly?

Hi, Julius.  Require and include do basically the same thing, so there's 
no need to require a file that does nothing but include another file; 
you might as well do it in one step.

However, I question whether what you're suggesting will do any good, 
since the file with the passwords in it has to be readable by the Web 
server in order to be included by PHP, and as I understand it, that 
means it will also readable by anyone who has access to your Web 
document root directory.  I haven't tried it, though, so I may be 
mistaken.  Let me know what you find out!

Ben Stallings
Interdependent Web



More information about the pmwiki-users mailing list