a better approach than storing mysql password in plain text in config file?

Question

It\'s always bothered me that many PHP programs require the user to store the mysql password in plain text (in a string or constant) in a configuration file in the applicati

Answer 1

Personally, I store sensitive information such as database connection details in a config.ini file outside of my web folder’s root. Then in my index.php I can do:

$config = parse_ini_file('../config.ini');

This means variables aren’t visible if your server accidentally starts outputting PHP scripts as plain text (which has happened before, infamously to Facebook); and only PHP scripts have access to the variables.

It’s also not reliant on .htaccess in which there’s no contingency if your .htaccess file is moved or destroyed.

Caveat, added 14 February 2017: I’ll now store configuration parameters like this as environment variables. I’ve not used the .ini file approach for some time now.