When a PHP application makes a database connection it of course generally needs to pass a login and password. If I’m using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere. What is the best way to secure that password?

Solution 1

Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.

The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.

Solution 2

If you’re hosting on someone else’s server and don’t have access outside your webroot, you can always put your password and/or database connection in a file and then lock the file using a .htaccess:

<files mypasswdfile>
order allow,deny
deny from all
</files>