is it secure to write mysql_connect ( "localhost", "root", "mypasswd" ) on file?
Or somthing like
in www/html/inc/
folder
connect_db.php
mysql_connect ("localhost", "root", "hashed_mypasswd");
is this more secure?
Or just write
mysql_connect ("localhost", "root", "mypasswd");
and make the folder (www/html/inc/
) only accessble fro开发者_开发问答m localhost using .htaccess file?
Please help me with a good practice.
As long as the file will be parsed by PHP, there's nothing to worry about, and the one isn't more secure than the other. Nonetheless, there's practicality involved as well: if you write your mysql_connect in more than one place and you've decided to move your database to another host, or you've decided to change the password, or if you found out it's absolutely insecure to connect using the root account (change that ;)), it's easier to have the connect statement in one place.
Also, if PHP isn't parsing your file, you're better off having those critical files outside of the webroot, not even accessible by Apache. That's the most secure way.
If you have to store the password on disk then you should encrypt it. This should prevent casual password recovery by a 3rd party. However, the password is most probably sent over the wire in plaintext (not sure about that for MySql).
精彩评论