Security while connecting to a MySQL database using PDO

Question

I looked at this question: What is the right way of storing database connection strings from the security point of view?

And I'm wondering specifically for connecting to a MySQL database with PDO, how can I be more secure?

1. I currently store my password in plain text in a .php file.
2. If storing outside the root is optimal, how can I include this file when I must access the database in index.php for example?

Answer 1

Use include or include_once to include anything in PHP.

<?php
include_once("/etc/out-of-htdocs/password.php");
?>

The PHP code can access files, which are not accessible via an URL. That is the security benefit.

In case of a miss configuration of the PHP module it is possible that every PHP file gets delivered without evaluation, which means that the password is world readable for everybody. If the PHP file is not accessible via an URL a configuration problem of the PHP module does not have any impact in the password security.

Answer 2

I want to add to the original question - maybe there is a way not to store the actual password in a file at all? Just to keep a hash in it so if the PHP files somehow are downloaded attacker can`t do that much.

I think it's not a farfetched example, because sometimes it's not possible to store configuration file away from the directory which is accessible via FTP which can be easy forced.