In the past I have stored database credentials (username, password) in another file (outside of the web directory) and included this in a PHP page to make connections with the database. Since I have started doing a lot of database interaction via AJAX, I have to change how I do this, since the AJAX script cannot include a script outside the web directory.
In order to deal with AJAX database connections, I need a good secure way to get the username and password data to the AJAX script. What is the best (secure and handy) way to do this? If i simply put my database credentials file in the web directory, what permissions to give it? Is this a good/bad idea?
Thanks a lot!
** EDIT **
Apparently there is not problem including files outside of web root directory, I was mistaken. Thanks very much, this probably changes things for me… :-/
** EDIT 2 **
Indeed that changed everything for me, I was able to include the database config file which i was using in all the pages (which resided outside the web root), so this is great!
if you are not opposed to changing things up a little bit, I think you should use your backend to interface with the database, and just use your ajax to hit those interfaces to the DB. that way you dont have to ever “Store db creds” client side
OR if you absolutely must save client side, you should figure out a way to reduce your access to a hashed / salted key that you save in a session cookie or something