i had a question about securing information used to connect to mysql databases. i store my db user name and password in a file called and placed it in a directory called php-includes. security wise, i know it's best to place this directory outside of the root, so no one can access it in case something fails. unfortunately, my web host doesn't allow this. how can i protect the information? is there something i should do to the .htaccess file? i hope my question makes sense. thanks.

below is an excerpt from an article that kevin wrote from sitepoint. my problem is that my host won't let me put anything outside the directory viewable to web, so i was wondering what my options were.


PHP scripts will sometimes contain sensitive information like usernames, passwords, and other things you don't want the world to have access to. By now you're probably used to the mysql_connect function, which requires you to put your MySQL username and password in a PHP script that needs access to a database. While you can simply set up MySQL so that the username and password used by PHP cannot be used by potential hackers (by setting the Host field in the user table as described in Part 8), you would probably still rest easier knowing that your username and password are protected by an extra level of security.

"But wait a minute," you might be saying. "Since the PHP is processed by the server, nobody gets to see my password anyway, right?" Right. But consider what would happen if PHP stopped working on your server. Whether due to an accidental software misconfiguration made by a well-meaning associate or due to some other factor, if PHP stopped working on your server, the PHP pages would be served up as plain text files, with all your PHP code (including your password) there for the world to see!

To guard against this kind of security breach, you should put any security-sensitive code into an include file and put that file in a directory that is not part of your Web server's directory structure. By adding that directory to your PHP include_path setting (in php.ini), you can refer to the files directly with the PHP include function, but have them tucked away safely somewhere where your Web server can't display them as Web pages.