Home » Php » security – Is saving MySQL username/password in the php.ini file secure?

security – Is saving MySQL username/password in the php.ini file secure?

Posted by: admin July 12, 2020 Leave a comment

Questions:

I would like to know if it secure to save the username, password, server etc… in the php.ini file so when I connect to the mysql server I don’t have to always put the parameters?

Also, can this information (saved in the php.ini) be viewed or retrieve by any kind of methods (like phpinfo() or something like that)?

Thanks

How to&Answers:

As long as you make sure the ini file is outside the DOCUMENT_ROOT and not world-readable, it’s no less secure than any other method.

Answer:

You don’t have to put that info in the parameters every time. You can define the connection in a separate file (dbconnection.php) and include that in the files that need a database connection.

Answer:

It isn’t secure, because you can read ini files with php method: parse_ini_file

Answer:

I don’t think there is security risk involve in saving any configuration in php.ini file since the location of the ini file is outside the “public” directory. No user can access this file.

You can get ini parameter using “ini_get” php function. You can find more information about this parameter from here:
http://php.net/manual/en/function.ini-get.php

Answer:

It would be much more secure, if you had put it in a file without an extension, and then secure that file with .htaccess. Also, .ini file can be read by any browser, so that would be super unsecure.

Answer:

As stated above, the .ini file might not be more or less secure than storing it in a .php file itself. However, one thing to consider is that when using the .ini file, this setting is effectively global to any and all PHP code and websites. Using the .ini file may affect other code that you wish to use a different user for.

Overall, it’s probably best security practice to NOT use an .ini file to store the password, simply because it’s now open to anybody storing PHP files on your server. Also makes it a bit of a hassle if you suddenly need to give multiple sites or applications for a site different logins (for separate databases). It’s not best to use one login for multiple databases, except for the root user which should only be used for administrative purposes.