Home/ Questions/Q 948907
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T23:19:11+00:00

It’s always bothered me that many PHP programs require the user to store the

  • 0

It’s always bothered me that many PHP programs require the user to store the mysql password in plain text (in a string or constant) in a configuration file in the application’s root.

Is there any better approach to this after all these years?

So far I have come up with two minimal security boosts:

  1. make the file unreadable via the web using rules in .htaccess
    (in case php fails or there’s a security vulnerability to read php source)

  2. destroy the password in memory after the db connect is made (unset)
    (to prevent string dumps from a security breach, injection, etc.)

but of course neither of those solve the original problem.

Thanks for any other ideas!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since your code will need the password there is no perfect security. But you can make it hard to recover.

    I put some hash in my web config, as an environment variable, say MYSQL_PASS_HASH

    Then I do something like md5(getenv('MYSQL_PASS_HASH').'gibberish$qwefsdf') which is then the password. Of course you should unsetenv after that if you’re paranoid.

    Your password will not literally be stored somewhere, and it can be recovered only when someone has both you web config and your database include.

    This happens in a file outside of the webroot (don’t put all your trust in .htaccess).

    • 0