Possible Duplicate: Is it ever ok to store password in plain text in a

Question

0

Editorial Team

Asked: May 28, 20262026-05-28T17:10:12+00:00 2026-05-28T17:10:12+00:00

Possible Duplicate: Is it ever ok to store password in plain text in a

0

Possible Duplicate:
Is it ever ok to store password in plain text in a php variable or php constant?

I used to store my db credentials in a PHP file like this:

<?php
    define('HOST', 'localhost');
    define('USER', 'db_user');
    define('PASS', 'user_pass');
    define('DB', 'database');
?>

I use constants but in a recently project, one of the PHP coders said that storing db credentials into constants wasn’t secure. I don’t get it. I tried to find some information but nobody says nothing about this.

Is there any security risk in storing db credentials into PHP constants?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T17:10:13+00:00

The only risk is if you have the definitions under the document root. In that case, if something goes wrong with your server configuration and people can see your PHP code, the constants (and thus database credentials) will be exposed.

The most secure way (that I know of) is to have the credentials as part of the server environment that is restricted only to root. Then, developers can use _SERVER['db_user'], etc. This is potentially more secure in that the people who have access to the actual DB credentials are more limited. It also gives you the flexibility to use different credentials depending on the server (development vs. production, for example). However, you can see all server environment variables with phpinfo(), var_dump($_SERVER), etc. so you have to take care not to upload such things.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Possible Duplicate: Is it ever ok to store password in plain text in a

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply