Safely storing db passwords

Forum Moderators: phranque

Message Too Old, No Replies

Safely storing db passwords

denisl

1:35 pm on Aug 19, 2009 (gmt 0)

I have had several sites on various hosts, and have always stored my db password and username either above the www or in separate Private folder that could not be accessed via a browser.

I am moving a site where I need better service and don't appear to be able to do this. Their support is telling me to place the password an .inc file, within the www folder, stating that I can only use.

Is this safe?

phranque

7:47 am on Aug 21, 2009 (gmt 0)

what OS are you using?
perhaps you can use a hidden file such as .htpasswd [httpd.apache.org].
still not an optimal solution but as long as the file is "403 Forbidden" it should be "good enough".

denisl

1:18 pm on Aug 21, 2009 (gmt 0)

Have alsways been on linux and as I said, have always placed the db password in a file above www for extra protection.
Have now put the file within a folder in www, protected by .htpasswd which I guess should be pretty safe. I am now amending over 1000 files that had a link to the old password file - have now put the link in a template to avoid this amount of work in the future.

I know php should be parsed and not shown as text, but I have seen it happen.