How to secure database passwords in PHP?

Question

When a PHP application makes a database connection it of course generally needs to pass a login and password. If I\'m using a single, minimum-permission login for my applica

Answer 1

This solution is general, in that it is useful for both open and closed source applications.

1. Create an OS user for your application. See http://en.wikipedia.org/wiki/Principle_of_least_privilege
2. Create a (non-session) OS environment variable for that user, with the password
3. Run the application as that user

Advantages:

1. You won't check your passwords into source control by accident, because you can't
2. You won't accidentally screw up file permissions. Well, you might, but it won't affect this.
3. Can only be read by root or that user. Root can read all your files and encryption keys anyways.
4. If you use encryption, how are you storing the key securely?
5. Works x-platform
6. Be sure to not pass the envvar to untrusted child processes

This method is suggested by Heroku, who are very successful.