Secure storage of database credentials

Question

Had a major problem recently where my web hosting company messed up and all my php files were displayed in plain text. This was a major issue for me for obvious reasons. Mai

Answer 1

Simply place info.php outside your webroot. This way, you can include it, but should your web hosting f*#$ up, no one else can view that file, even as plain text.

You would then include it like this:

include('../info.php');

This way, even if someone finds out that you have a file called info.php that stores all your passwords, they cannot point their browser to that file.

The above would be the ideal and most watertight solution. However, if that is not possible due to permissions, the other option would be to place all sensitive files in a directory and block direct access to that directory using a .htaccess file.

In the directory you want to block off access to, place an .htaccess file with the following contents:

deny from all

Answer 2

Create form that redirect to file for the example "requests.php" and make switch on it for all you requests.If your data is right redirect to the specific page, if not do it same.On the end of the switch put anoter redirect.With this way user can't see that page.Don't put therer html or something - only logic.

Answer 3

If for some reason xbonez's answer doesn't work (lets say one doesn't have access to a non document_root folder).. You can achieve the same thing by using .htaccess

<files info.php>
 order allow,deny
 deny from all
</files>

This, should in theory (non tested) protect the file from being used in the browser but not block php from including said file.