{"id":2253,"date":"2017-03-25T14:59:38","date_gmt":"2017-03-25T09:29:38","guid":{"rendered":"https:\/\/www.wikitechy.com\/technology\/?p=2253"},"modified":"2017-03-28T16:26:48","modified_gmt":"2017-03-28T10:56:48","slug":"secure-database-passwords-php","status":"publish","type":"post","link":"https:\/\/www.wikitechy.com\/technology\/secure-database-passwords-php\/","title":{"rendered":"[Solved &#8211; 8 Answers] PHP &#8211; How to secure database passwords in PHP"},"content":{"rendered":"<p><label class=\"label label-warning\">PROBLEM:<\/label><\/p>\n<ul>\n<li>When a PHP application makes a database connection it of course generally needs to pass a login and password.<\/li>\n<li>If you are using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere.<\/li>\n<li>What is the best way to secure that password? It seems like just writing it in the PHP code isn\u2019t a good idea.<\/li>\n<\/ul>\n<p><label class=\"label label-info\">SOLUTION 1:<\/label><\/p>\n<ul>\n<li>The usual solution is to move the password out of source-code into a configuration file.<\/li>\n<li>Then leave administration and securing that configuration file up to your system administrators.<\/li>\n<li>That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.<\/li>\n<\/ul>\n<p><label class=\"label label-info\">SOLUTION 2:<\/label><\/p>\n<ul>\n<li>If you\u2019re hosting on someone else\u2019s server and don\u2019t have access outside your webroot,<\/li>\n<li>you can always put your password and\/or database connection in a file and then lock the file using a .htaccess:<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201d%3Cfiles%20mypasswdfile%3E%0Aorder%20allow%2Cdeny%0Adeny%20from%20all%0A%3C%2Ffiles%3E%0A\u201d message=\u201dphp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[ad type=\u201dbanner\u201d]\n<p><label class=\"label label-info\">SOLUTION 3:<\/label><\/p>\n<ul>\n<li>The most secure way is to not have the information specified in your PHP code at all.<\/li>\n<li>If you\u2019re using Apache that means to set the connection details in your httpd.conf or virtual hosts file. If you do that you can call mysql_connect() with no parameters, which means PHP will never ever output your information.<\/li>\n<li>This is how you specify these values in those files:<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201dphp_value%20mysql.default.user%20%20%20%20%20%20myusername%0Aphp_value%20mysql.default.password%20%20mypassword%0Aphp_value%20mysql.default.host%20%20%20%20%20%20server%0A\u201d message=\u201dphp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<ul>\n<li>Then you open your mysql connection like this:<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201d%3C%3Fphp%0A%24db%20%3D%20mysqli_connect()%3B%0A%0A\u201d message=\u201dphp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"or-like-this\"><span style=\"color: #ff00ff;\">Or like this:<\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201d%3C%3Fphp%0A%24db%20%3D%20mysqli_connect(ini_get(%22mysql.default.user%22)%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20ini_get(%22mysql.default.password%22)%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20ini_get(%22mysql.default.host%22))%3B%0A\u201d message=\u201dphp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p><label class=\"label label-info\">SOLUTION 4:<\/label><\/p>\n<p>This solution is general, in that it is useful for both open and closed source applications.<\/p>\n<ul>\n<li>Create an OS user for your application.<\/li>\n<li>Create a (non-session) OS environment variable for that user, with the password.<\/li>\n<li>Run the application as that user<\/li>\n<\/ul>\n<h4 id=\"advantages\"><span style=\"color: #993300;\"><b>Advantages:<\/b><\/span><\/h4>\n<ol>\n<li>You won\u2019t check your passwords into source control by accident, because you can\u2019t<\/li>\n<li>You won\u2019t accidentally screw up file permissions. Well, you might, but it won\u2019t affect this.<\/li>\n<li>Can only be read by root or that user. Root can read all your files and encryption keys anyways.<\/li>\n<li>If you use encryption, how are you storing the key securely?<\/li>\n<li>Works x-platform<\/li>\n<li>Be sure to not pass the envvar to untrusted child processes<\/li>\n<\/ol>\n<p>This method is suggested by Heroku, who are very successful.<\/p>\n[ad type=\u201dbanner\u201d]\n<p><label class=\"label label-info\">SOLUTION 5:<\/label><\/p>\n<ul>\n<li>If it is possible to create the database connection in the same file where the credentials are stored.<\/li>\n<li>Inline the credentials in the connect statement.<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201d%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20mysql_connect(%22localhost%22%2C%20%22me%22%2C%20%22mypass%22)%3B%0A\u201d message=\u201dphp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<ul>\n<li>Otherwise it is best to unset the credentials after the connect statement, because credentials that are not in memory, can\u2019t be read from memory<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201dinclude(%22%2Foutside-webroot%2Fdb_settings.php%22)%3B%20%20%0Amysql_connect(%22localhost%22%2C%20%24db_user%2C%20%24db_pass)%3B%20%20%0Aunset%20(%24db_user%2C%20%24db_pass)%3B%20%0A\u201d message=\u201dphp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p><label class=\"label label-info\">SOLUTION 6:<\/label><\/p>\n<ul>\n<li>Best way is to not store the password at all!<\/li>\n<li>For instance, if you\u2019re on a Windows system, and connecting to SQL Server,you can use Integrated Authentication to connect to the database without a password, using the current process\u2019s identity.<\/li>\n<li>If you do need to connect with a password, first encrypt it, using strong encryption (e.g. using AES-256, and then protect the encryption key, or using asymmetric encryption and have the OS protect the cert), and then store it in a configuration file (outside of the web directory) with strong ACLs.<\/li>\n<\/ul>\n<p><label class=\"label label-info\">SOLUTION 7:<\/label><\/p>\n<h4 id=\"we-have-solved-it-in-this-way\"><span style=\"color: #ff6600;\">We have solved it in this way:<\/span><\/h4>\n<ol>\n<li>Use memcache on server, with open connection from other password server.<\/li>\n<li>Save to memcache the password (or even all the password.php file encrypted) plus the decrypt key.<\/li>\n<li>The web site, calls the memcache key holding the password file passphrase and decrypt in memory all the passwords.<\/li>\n<li>The password server send a new encrypted password file every 5 minutes.<\/li>\n<li>If you using encrypted password.php on your project, you put an audit, that check if this file was touched externally \u2013 or viewed. When this happens, you automatically can clean the memory, as well as close the server for access.<\/li>\n<\/ol>\n<p><label class=\"label label-info\">SOLUTION 8:<\/label><\/p>\n<ul>\n<li>An additional trick is to use a PHP separate configuration file that looks like that<strong> :<\/strong><\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201d%3C%3Fphp%20exit()%20%3F%3E%0A%0A%5B\u2026%5D%0A%0APlain%20text%20data%20including%20password%0A%0A\u201d message=\u201dphp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<ul>\n<li>This does not prevent you from setting access rules properly.<\/li>\n<li>But in the case your web site is hacked, a \u201crequire\u201d or an \u201cinclude\u201d will just exit the script at the first line so it\u2019s even harder to get the data.<\/li>\n<li>Nevertheless, do not ever let configuration files in a directory that can be accessed through the web.<\/li>\n<li>You should have a \u201cWeb\u201d folder containing your controler code, css, pictures and js. That\u2019s all. Anything else goes in offline folders.<\/li>\n<\/ul>\n[ad type=\u201dbanner\u201d]\n","protected":false},"excerpt":{"rendered":"<p>PROBLEM: When a PHP application makes a database connection it of course generally needs to pass a login and password. If you are using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere. What is the best way to secure that password? It seems like just [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[4877,3350,2974,4880,4881,4879,2972,4878,4091,2363],"class_list":["post-2253","post","type-post","status-publish","format-standard","hentry","category-php","tag-best-way-to-store-password-in-database","tag-how-can-i-prevent-sql-injection-in-php","tag-how-should-i-ethically-approach-user-password-storage-for-later-plaintext-retrieval","tag-how-storing-database-info-outside-webroot-of-php-applications-will-improve-security","tag-how-to-securely-provide-a-database-password-to-the-application","tag-php-securing-database-connection-credentials","tag-secure-hash-and-salt-for-php-passwords","tag-securing-db-password-in-php","tag-why-is-char-preferred-over-string-for-passwords","tag-why-shouldnt-i-use-mysql_-functions-in-php"],"_links":{"self":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/2253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/comments?post=2253"}],"version-history":[{"count":0,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/2253\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/media?parent=2253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/categories?post=2253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/tags?post=2253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}