i had a question about securing information used to connect to mysql databases. i store my db user name and password in a file called dbConnect.inc and placed it in a directory called php-includes. security wise, i know it's best to place this directory outside of the root, so no one can access it in case something fails. unfortunately, my web host doesn't allow this. how can i protect the information? is there something i should do to the .htaccess file? i hope my question makes sense. thanks.
below is an excerpt from an article that kevin wrote from sitepoint. my problem is that my host won't let me put anything outside the directory viewable to web, so i was wondering what my options were.
PHP scripts will sometimes contain sensitive information like usernames, passwords, and other things you don't want the world to have access to. By now you're probably used to the mysql_connect function, which requires you to put your MySQL username and password in a PHP script that needs access to a database. While you can simply set up MySQL so that the username and password used by PHP cannot be used by potential hackers (by setting the Host field in the user table as described in Part 8), you would probably still rest easier knowing that your username and password are protected by an extra level of security.
"But wait a minute," you might be saying. "Since the PHP is processed by the server, nobody gets to see my password anyway, right?" Right. But consider what would happen if PHP stopped working on your server. Whether due to an accidental software misconfiguration made by a well-meaning associate or due to some other factor, if PHP stopped working on your server, the PHP pages would be served up as plain text files, with all your PHP code (including your password) there for the world to see!
To guard against this kind of security breach, you should put any security-sensitive code into an include file and put that file in a directory that is not part of your Web server's directory structure. By adding that directory to your PHP include_path setting (in php.ini), you can refer to the files directly with the PHP include function, but have them tucked away safely somewhere where your Web server can't display them as Web pages.
First thing to do is to point a browser at the file and see what you get... http://www.whatever.com/path/to/dbConnect.inc ---> if you see your stuff in plain text you have a problem even when PHP is working. You might consider renaming to dbConnect.php or something that will be parsed by PHP and not create output as a rudimentary step to protect yourself.
Now, there's not much you can do if your host does not allow you to place files outside of the webroot tree. If you are not allowed to do this, you most likely do not have permissions to configure the php.ini file that Kevin suggests in his article.