a better approach than storing mysql password in plain text in config file?

Question

It\'s always bothered me that many PHP programs require the user to store the mysql password in plain text (in a string or constant) in a configuration file in the applicati

Answer 1

It does not have to be in the webroot. You can move the file outside of the webroot and call it that way. This will just mean the file cannot be called directly from the web.

If your code has security flaws in it, such as including stuff without filtering from GET data, then that file is still at risk. The real key is making sure your application is secure as well.