How to protect database passwords in PHP?

Question

When a PHP application establishes a database connection, it usually requires passing a login name and password. If my application uses a single, least privileged login, then PHP needs to know that login and password somewhere. What's the best way to protect that password? It seems like just writing it in PHP code is not a good idea.

Answer 1

If you're hosted on someone else's server and don't have access to content outside of your network root, you can always put your password and/or database connection into a file and then lock that file using .htaccess:

<files mypasswdfile>
order allow,deny
deny from all
</files>

Answer 2

Some people misread this as a question about how to store passwords in the database. That's wrong. It's about how to store the password that gives you access to the database.

The usual solution is to move the password from the source code to the configuration file. Then leave the job of managing and protecting the configuration files to the system administrator. This way, developers don't need to know anything about production passwords, and there are no password records in source control.