


I'm trying to connect to my database, but I changed my database's root password in the interest of security. However, in order to connect to the database and use PDO, I apparently have to pass my password in the php, which obviously is not good for security:

$hsdbc = new PDO('mysql:dbname=hs database;host=;charset=utf8', 'root','passwordgoeshere');

$hsdbc->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);


Am I being stupid and that because it's PHP no-one but the person who views the actual file will be able to see the password, or is there some way to do it without passing the password in the file.



I have seen websites that expose PHP code, when the Apache type handler for PHP becomes unconfigured by accident. Then the code in .php files is displayed instead of executed. There's also an Apache type handler to display PHP source deliberately, though this is not usually configured.


To avoid this vulnerability, it's a good practice to put your sensitive PHP code outside your htdocs directory. Instead, put in your htdocs directory a minimal PHP script that loads the rest of the code using include() or require().

另一种选择是将MySQL凭据放在配置文件中,而不是放在PHP代码中.例如,PHP函数 parse_ini_file().这样可以很容易地将MySQL密码存储在代码之外.

An alternative is to put your MySQL credentials in a config file instead of PHP code at all. For example, the file format used by /etc/my.cnf and $HOME/.my.cnf is readable by the PHP function parse_ini_file(). It's easy to store your MySQL password outside of your code this way.

例如,从/etc/my.cnf的[mysql][client]部分中读取 user password :

For example, read user and password from the [mysql] or [client] sections of /etc/my.cnf:

$ini = parse_ini_file("/etc/my.cnf", true);

if (array_key_exists("mysql", $ini)) {
    $connect_opts = array_merge($connect_opts, $ini["mysql"]);
} else if (array_key_exists("client", $ini)) {
    $connect_opts = array_merge($connect_opts, $ini["client"]);

$pdo = new PDO($dsn, $connect_opts["user"], $connect_opts["password"]);


05-29 18:28