How to secure database passwords in PHP?

Question

When a PHP application makes a database connection it of course generally needs to pass a login and password. If I\'m using a single, minimum-permission login for my applica

Answer 1

Your choices are kind of limited as as you say you need the password to access the database. One general approach is to store the username and password in a seperate configuration file rather than the main script. Then be sure to store that outside the main web tree. That was if there is a web configuration problem that leaves your php files being simply displayed as text rather than being executed you haven't exposed the password.

Other than that you are on the right lines with minimal access for the account being used. Add to that

• Don't use the combination of username/password for anything else
• Configure the database server to only accept connections from the web host for that user (localhost is even better if the DB is on the same machine) That way even if the credentials are exposed they are no use to anyone unless they have other access to the machine.
• Obfuscate the password (even ROT13 will do) it won't put up much defense if some does get access to the file, but at least it will prevent casual viewing of it.

Peter

Answer 2

We have solved it in this way:

1. Use memcache on server, with open connection from other password server.
2. Save to memcache the password (or even all the password.php file encrypted) plus the decrypt key.
3. The web site, calls the memcache key holding the password file passphrase and decrypt in memory all the passwords.
4. The password server send a new encrypted password file every 5 minutes.
5. If you using encrypted password.php on your project, you put an audit, that check if this file was touched externally - or viewed. When this happens, you automatically can clean the memory, as well as close the server for access.

Answer 3

if it is possible to create the database connection in the same file where the credentials are stored. Inline the credentials in the connect statement.

mysql_connect("localhost", "me", "mypass");

Otherwise it is best to unset the credentials after the connect statement, because credentials that are not in memory, can't be read from memory ;)

include("/outside-webroot/db_settings.php");  
mysql_connect("localhost", $db_user, $db_pass);  
unset ($db_user, $db_pass);  

Answer 4

Put the database password in a file, make it read-only to the user serving the files.

Unless you have some means of only allowing the php server process to access the database, this is pretty much all you can do.

Answer 5

This solution is general, in that it is useful for both open and closed source applications.

1. Create an OS user for your application. See http://en.wikipedia.org/wiki/Principle_of_least_privilege
2. Create a (non-session) OS environment variable for that user, with the password
3. Run the application as that user

Advantages:

1. You won't check your passwords into source control by accident, because you can't
2. You won't accidentally screw up file permissions. Well, you might, but it won't affect this.
3. Can only be read by root or that user. Root can read all your files and encryption keys anyways.
4. If you use encryption, how are you storing the key securely?
5. Works x-platform
6. Be sure to not pass the envvar to untrusted child processes

This method is suggested by Heroku, who are very successful.

Answer 6

Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database.

The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration file up to your system administrators. That way developers do not need to know anything about the production passwords, and there is no record of the password in your source-control.