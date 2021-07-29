Others may have better insight; The only security ‘issue’ i would say is don’t store your database stuff in variables.
If later in your code, or including a file that loads your database connection, i can echo out $password …
(This is a rare attack vector that requires access to your file structure, but it’s happened.)
Compare:
<?php
$servername = "localhost";
$username = "db_user";
$password = "db_pass";
$dbname = "the_database";
try {
$pdo = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
vs
try {
$pdo = new PDO("mysql:host=localhost;dbname=the_database", "db_user", "db_pass");
Because I never store the password or username, the only thing that can access the password is the $pdo object, and you can’t extract it from the $pdo variable.
How does someone exploit this?
I’ve done this once. Piece of third party software, encrypted code. I can’t read it. But; I can include it.
<?php
include_once("hiddencode.php");
print_r(get_defined_vars());
?>
Suddenly I know what variables they left laying around in the variable table…