What's the best practice to store database credentials in a CMS? Now i declare them in my Database singleton class:
$this->credentials = array("hostname"=>"hostname", "username"=>"username","password"=>"password", "database"=>"database");
But it's not so intuitive to search where to change them and also i'm planning to makre inmstall file for cms later. Where and how do you store your connection prefrences?
CakePHP uses a config file called database.php (in /app/config/), in which a DATABASE_CONFIG class is declared:
class DATABASE_CONFIG {
var $default = array(
'driver' => 'mysql',
'persistent' => false,
'host' => 'localhost',
'login' => 'user',
'password' => 'password',
'database' => 'database_name',
'prefix' => '',
);
var $test = array(
'driver' => 'mysql',
'persistent' => false,
'host' => 'localhost',
'login' => 'user',
'password' => 'password',
'database' => 'test_database_name',
'prefix' => '',
);
}
This creates a single place where the user can set all their database configurations while the intuitive directory structure makes it obvious where database configurations are stored. And you can also specify multiple configurations for production, development, and testing purposes, which are easy to switch between.
As a general rule, I don't put credentials directly into the source code, but store them in configueration files. That makes it much easier to change them, for example when you are moving from your development machine to the test machine, which may (should) connect to a different database.
This configuration file should be stored somewhere outside the webroot directory.
You can also encrypt the password in some way, to have a little more security in case the config file does get compromised. On the other hand, if somebody gets physical access to your server, you're screwed anyway, so it may not be worth it.
You can use a singleton class, as you mentioned, or something simpler.
In all my config.inc.php files I have a standard associative array
$config['Main_Database'] = '';
$config['db_user'] = '';
$config['db_pass'] = '';
$config['db_host'] = '';
The concept is the same and you're on the right track. Make it something that, as a human, makes sense to you. If someone has access to your server your screwed anyway so it's not a big deal in terms of what is more secure.
As for the install file, I've seen many apps open the config file, adjust a few specific parts via the code and then actually re-write the file back to the server (rather than "store a setting"). It achieves the same result but done through a wizard as opposed to manually.