Securing database credentials


#1

What is the best way to secure data base credentials on dreamhost for a PHP application? I’ve seen a bunch of varying suggestions which generally involve putting the credentials into a separate included file, but where to locate that file and/or whether to utilize environment variables varies, and whether or not you have access to php.ini also seems to make a difference (which I guess is not possible unless I run my own copy of PHP which I don’t really want to do). Thanks.


#2

It does not matter where the credential file lives – as long as it is only readable by you. DreamHost runs PHP using suexec CGI by default (unless you turned off “Run PHP as CGI”), so your scripts runs in the same user as the owner of the script, i.e. you, thus it can read owner-readable PHP files inside your site.

To change the file to be only readable by the owner, get into shell and do,

~$ chmod 600 mysecrets.php