Hi Conor,

The dangers with storing the credentials in a file in a directory under document root is that the file is then available as a URL, and is therefore potentially exposed to attack. This is particularly true if the file is named something like dbconnect.inc, as most browsers will simply display the contents as plaintext; so a URL such as mydomain/inc/dbconnect.inc will display the username & password.

A PHP script can include files from any filepath on the server, even if the location is outside the document root. You just need to make sure that the directory & file have permissions that allow the web server to read the file.

So, you can create a file that sets the access credentials such as:

$DB_USER = <user>;
$DB_PWD = <password>;

Then, store the file in a directory outside the document root, so that it is not available via a URL, and then include the file into your main PHP script with:

<?php

some code here;

include '/path/to/secure/file.php';

.....

?>

You can then use $DB_USER & $DB_PWD as normal in the remainder of the script.


Regards,

Nick

--
Nick Roper