Where is the most secure place to put MySQL connection details for PHP

Question

Where is the most secure place to put MySQL database connection details when connecting via a PHP script?

$connection = mysql_connect($hostname, $username, $password);
if (!$connection) {die('Could not connect: ' . mysql_error());}
mysql_select_db($database, $connection);

I know it's not a good idea to put them directly in the script that is querying the database. However, some say that you should put the connection details in a separate PHP script and include that script to connect.

Is there a more secure place to put the connection details?

Answer 1

You may want to put it in a directory that is not in the webapp hierarchy, to prevent a browser from having any chance to access it.

Depending on your level of paranoia, you could write a webservice that is behind a firewall, and call for the credentials, but that may be overkill.

It would help if we understood your architecture, is it just php script goes to database, then the first suggestion would be best, if you have firewalls, for example, then you will have more options.

Answer 2

The usual practice is to put them into a separate file, and put that outside the web root. See this answer for details.

Answer 3

If your OS has reasonable security features, it doesn't matter so much where, as long as the file belongs to a group with the minimum possible rights.