Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialJonathan Söder
7,428 PointsHow do you store your mysql user credentials in a secure way?
Hi!
How do you store your mysql user credentials? The one's you actually connect to the database with?
I've tried making sense of the things I've read like storing them outside of root etc. Each solution seems to have its strong and weak points. The answers doesn't seem to be catering to beginners like myself though.
I'm on a shared hosting plan. Right now I just store my mysql credentials in a php file with server/user/pass. I include the file in a connect.php. I assume this isn't even a relatively safe way to do it. How do you actually store database credentials on a shared hosting plan?
3 Answers
Codin - Codesmite
8,600 PointsSource code to PHP scripts are not visible to people inspecting your source code, so in general DB passwords are fairly secure in PHP, unless there is errors thrown from the file containing the information then there is a chance it will be printed in the error or accessible.
Although this article has a very good explination on storing your passwords outside of the root folder and is roughly the way I do it myself (give or take a few changes depending on how the server is configured):
https://www.binpress.com/tutorial/using-php-with-mysql-the-right-way/17
Example:
The root of my webserver is "/localhost/public_html/" I create a folder lets say for example "/localhost/private/" This location is not accesible to others externally as it does not have url being one level above the root folder.
I place a config.ini at "/localhost/private/config.ini"
The config.ini contains the database login credentials:
[database]
servername = localhost
username = admin
password = password
dbname = db_main
I then create a php function within the root lets say for example at "/localhost/public_html/includes/dbconnect.php"
Contents of dbconnect.php:
<?php
function db_connect() {
// Define connection as a static variable, to avoid connecting more than once
static $connection;
// Try and connect to the database, if a connection has not been established yet
if(!isset($connection)) {
// Load configuration as an array. Use the actual location of your configuration file
$config = parse_ini_file('../private/config.ini');
$connection = mysqli_connect($config['servername'],$config['username'],$config['password'],$config['dbname']);
}
// If connection was not successful, handle the error
if($connection === false) {
// Handle error - notify administrator, log to a file, show an error screen, etc.
return mysqli_connect_error();
}
return $connection;
}
// Connect to the database
$connection = db_connect();
// Check connection
if ($connection->connect_error) {
die("Connection failed: " . $connection->connect_error);
}
?>
As you can see I parse the values of config .ini file into an array $config from the server location "../private/config.ini" which is a location that can only be accessed by the localhost and cant be scoped out via a URL.
Whenever I want to connect to the database I just include the dbconnect.php file that contains the function,
<?php
require_once('./includes/dbconnect.php');
?>
and for queries I call the variable $connection from the dbconnect() function, for example:
<?php
$sql = "SELECT id, title, stitle, date, section, content FROM articles";
$result = $connection->query($sql);
?>
By doing all this my database login credentials are located outside the scope of the websites root, and if you were to get an SQL or PHP error it will only display the variable names and not the values holding the login credentials.
Hope this helps you work it out (it's pretty confusing and took me a while to get my head around at first) if you need any more help let me know :)
thomascawthorn
22,986 PointsAlso make sure that your credentials never get added to github!
Jonathan Söder
7,428 PointsI'm going to put that on a post it note and tape it to the front of my screen. I can definitely see myself doing that mistake :=)
Tom Merkel
2,269 PointsHey,
Is this still the accepted way of handling it in 2020?
Thanks, Tom.
Jonathan Söder
7,428 PointsJonathan Söder
7,428 PointsThis is awesome, thanks Ashley!