{"id":2253,"date":"2017-03-25T14:59:38","date_gmt":"2017-03-25T09:29:38","guid":{"rendered":"https:\/\/www.wikitechy.com\/technology\/?p=2253"},"modified":"2017-03-28T16:26:48","modified_gmt":"2017-03-28T10:56:48","slug":"secure-database-passwords-php","status":"publish","type":"post","link":"https:\/\/www.wikitechy.com\/technology\/secure-database-passwords-php\/","title":{"rendered":"[Solved &#8211; 8 Answers] PHP &#8211; How to secure database passwords in PHP"},"content":{"rendered":"<p><label class=\"label label-warning\">PROBLEM:<\/label><\/p>\n<ul>\n<li>When a PHP application makes a database connection it of course generally needs to pass a login and password.<\/li>\n<li>If you are using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere.<\/li>\n<li>What is the best way to secure that password? It seems like just writing it in the PHP code isn&#8217;t a good idea.<\/li>\n<\/ul>\n<p><label class=\"label label-info\">SOLUTION 1:<\/label><\/p>\n<ul>\n<li>The usual solution is to move the password out of source-code into a configuration file.<\/li>\n<li>Then leave administration and securing that configuration file up to your system administrators.<\/li>\n<li>That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.<\/li>\n<\/ul>\n<p><label class=\"label label-info\">SOLUTION 2:<\/label><\/p>\n<ul>\n<li>If you&#8217;re hosting on someone else&#8217;s server and don&#8217;t have access outside your webroot,<\/li>\n<li>you can always put your password and\/or database connection in a file and then lock the file using a .htaccess:<\/li>\n<\/ul>\n<div class=\"code-embed-wrapper\"> <div class=\"code-embed-infos\"> <span class=\"code-embed-name\">php code<\/span> <\/div> <pre class=\"language-php code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-php code-embed-code\">&lt;files mypasswdfile&gt;<br\/>order allow,deny<br\/>deny from all<br\/>&lt;\/files&gt;<\/code><\/pre> <\/div>\n[ad type=&#8221;banner&#8221;]\n<p><label class=\"label label-info\">SOLUTION 3:<\/label><\/p>\n<ul>\n<li>The most secure way is to not have the information specified in your PHP code at all.<\/li>\n<li>If you&#8217;re using Apache that means to set the connection details in your httpd.conf or virtual hosts file. If you do that you can call mysql_connect() with no parameters, which means PHP will never ever output your information.<\/li>\n<li>This is how you specify these values in those files:<\/li>\n<\/ul>\n<div class=\"code-embed-wrapper\"> <div class=\"code-embed-infos\"> <span class=\"code-embed-name\">php code<\/span> <\/div> <pre class=\"language-php code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-php code-embed-code\">php_value mysql.default.user      myusername<br\/>php_value mysql.default.password  mypassword<br\/>php_value mysql.default.host      server<\/code><\/pre> <\/div>\n<ul>\n<li>Then you open your mysql connection like this:<\/li>\n<\/ul>\n<div class=\"code-embed-wrapper\"> <div class=\"code-embed-infos\"> <span class=\"code-embed-name\">php code<\/span> <\/div> <pre class=\"language-php code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-php code-embed-code\">&lt;?php<br\/>$db = mysqli_connect();<\/code><\/pre> <\/div>\n<h4 id=\"or-like-this\"><span style=\"color: #ff00ff;\">Or like this:<\/span><\/h4>\n<div class=\"code-embed-wrapper\"> <div class=\"code-embed-infos\"> <span class=\"code-embed-name\">php code<\/span> <\/div> <pre class=\"language-php code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-php code-embed-code\">&lt;?php<br\/>$db = mysqli_connect(ini_get(&quot;mysql.default.user&quot;),<br\/>                     ini_get(&quot;mysql.default.password&quot;),<br\/>                     ini_get(&quot;mysql.default.host&quot;));<\/code><\/pre> <\/div>\n<p><label class=\"label label-info\">SOLUTION 4:<\/label><\/p>\n<p>This solution is general, in that it is useful for both open and closed source applications.<\/p>\n<ul>\n<li>Create an OS user for your application.<\/li>\n<li>Create a (non-session) OS environment variable for that user, with the password.<\/li>\n<li>Run the application as that user<\/li>\n<\/ul>\n<h4 id=\"advantages\"><span style=\"color: #993300;\"><b>Advantages:<\/b><\/span><\/h4>\n<ol>\n<li>You won&#8217;t check your passwords into source control by accident, because you can&#8217;t<\/li>\n<li>You won&#8217;t accidentally screw up file permissions. Well, you might, but it won&#8217;t affect this.<\/li>\n<li>Can only be read by root or that user. Root can read all your files and encryption keys anyways.<\/li>\n<li>If you use encryption, how are you storing the key securely?<\/li>\n<li>Works x-platform<\/li>\n<li>Be sure to not pass the envvar to untrusted child processes<\/li>\n<\/ol>\n<p>This method is suggested by Heroku, who are very successful.<\/p>\n[ad type=&#8221;banner&#8221;]\n<p><label class=\"label label-info\">SOLUTION 5:<\/label><\/p>\n<ul>\n<li>If it is possible to create the database connection in the same file where the credentials are stored.<\/li>\n<li>Inline the credentials in the connect statement.<\/li>\n<\/ul>\n<div class=\"code-embed-wrapper\"> <div class=\"code-embed-infos\"> <span class=\"code-embed-name\">php code<\/span> <\/div> <pre class=\"language-php code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-php code-embed-code\">                                       mysql_connect(&quot;localhost&quot;, &quot;me&quot;, &quot;mypass&quot;);<\/code><\/pre> <\/div>\n<ul>\n<li>Otherwise it is best to unset the credentials after the connect statement, because credentials that are not in memory, can&#8217;t be read from memory<\/li>\n<\/ul>\n<div class=\"code-embed-wrapper\"> <div class=\"code-embed-infos\"> <span class=\"code-embed-name\">php code<\/span> <\/div> <pre class=\"language-php code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-php code-embed-code\">include(&quot;\/outside-webroot\/db_settings.php&quot;);  <br\/>mysql_connect(&quot;localhost&quot;, $db_user, $db_pass);  <br\/>unset ($db_user, $db_pass); <\/code><\/pre> <\/div>\n<p><label class=\"label label-info\">SOLUTION 6:<\/label><\/p>\n<ul>\n<li>Best way is to not store the password at all!<\/li>\n<li>For instance, if you&#8217;re on a Windows system, and connecting to SQL Server,you can use Integrated Authentication to connect to the database without a password, using the current process&#8217;s identity.<\/li>\n<li>If you do need to connect with a password, first encrypt it, using strong encryption (e.g. using AES-256, and then protect the encryption key, or using asymmetric encryption and have the OS protect the cert), and then store it in a configuration file (outside of the web directory) with strong ACLs.<\/li>\n<\/ul>\n<p><label class=\"label label-info\">SOLUTION 7:<\/label><\/p>\n<h4 id=\"we-have-solved-it-in-this-way\"><span style=\"color: #ff6600;\">We have solved it in this way:<\/span><\/h4>\n<ol>\n<li>Use memcache on server, with open connection from other password server.<\/li>\n<li>Save to memcache the password (or even all the password.php file encrypted) plus the decrypt key.<\/li>\n<li>The web site, calls the memcache key holding the password file passphrase and decrypt in memory all the passwords.<\/li>\n<li>The password server send a new encrypted password file every 5 minutes.<\/li>\n<li>If you using encrypted password.php on your project, you put an audit, that check if this file was touched externally &#8211; or viewed. When this happens, you automatically can clean the memory, as well as close the server for access.<\/li>\n<\/ol>\n<p><label class=\"label label-info\">SOLUTION 8:<\/label><\/p>\n<ul>\n<li>An additional trick is to use a PHP separate configuration file that looks like that<strong> :<\/strong><\/li>\n<\/ul>\n<div class=\"code-embed-wrapper\"> <div class=\"code-embed-infos\"> <span class=\"code-embed-name\">php code<\/span> <\/div> <pre class=\"language-php code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-php code-embed-code\">&lt;?php exit() ?&gt;<br\/><br\/>[...]<br\/><br\/>Plain text data including password<\/code><\/pre> <\/div>\n<ul>\n<li>This does not prevent you from setting access rules properly.<\/li>\n<li>But in the case your web site is hacked, a &#8220;require&#8221; or an &#8220;include&#8221; will just exit the script at the first line so it&#8217;s even harder to get the data.<\/li>\n<li>Nevertheless, do not ever let configuration files in a directory that can be accessed through the web.<\/li>\n<li>You should have a &#8220;Web&#8221; folder containing your controler code, css, pictures and js. That&#8217;s all. Anything else goes in offline folders.<\/li>\n<\/ul>\n[ad type=&#8221;banner&#8221;]\n","protected":false},"excerpt":{"rendered":"<p>PROBLEM: When a PHP application makes a database connection it of course generally needs to pass a login and password. If you are using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere. What is the best way to secure that password? It seems like just [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[4877,3350,2974,4880,4881,4879,2972,4878,4091,2363],"class_list":["post-2253","post","type-post","status-publish","format-standard","hentry","category-php","tag-best-way-to-store-password-in-database","tag-how-can-i-prevent-sql-injection-in-php","tag-how-should-i-ethically-approach-user-password-storage-for-later-plaintext-retrieval","tag-how-storing-database-info-outside-webroot-of-php-applications-will-improve-security","tag-how-to-securely-provide-a-database-password-to-the-application","tag-php-securing-database-connection-credentials","tag-secure-hash-and-salt-for-php-passwords","tag-securing-db-password-in-php","tag-why-is-char-preferred-over-string-for-passwords","tag-why-shouldnt-i-use-mysql_-functions-in-php"],"_links":{"self":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/2253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/comments?post=2253"}],"version-history":[{"count":0,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/2253\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/media?parent=2253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/categories?post=2253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/tags?post=2253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}