security - Where to store database login credentials for a PHP application

Question

We have a development server and a live server with different database connection details (username, password, etc).

Currently we're storing BOTH the database connection details in a initial.php and one is selected if a DEFINE statement is present. We manually add that DEFINE statement on our live server.

Is this a safe approach? What are better / alternative approachs for managing DB connection security?

One consequence of this is that every developer can see the database connection details and that's a bit risky...

Answer 1

I use an .ini-file, which is then parsed via parse_ini_file(INI_FILENAME_HERE, true). This file isn't under version control (as are the php-/template-/whatever-files). So on every machine I create that file (.database.ini) for the respective database connection.

Example .ini-file for a MySQL-connection, using PDO:

[db_general]
driver = "mysql"
user = "USERNAME"
password = "PASSWORD"

; DSN
; see http://www.php.net/manual/en/pdo.drivers.php
[db_data_source_name]
host = "localhost"
port = 3306
dbname = "DATABASE_NAME"

; specify PDO-options, provide keys without PDO::
; see http://www.php.net/manual/en/pdo.drivers.php
[db_pdo_options]
MYSQL_ATTR_INIT_COMMAND = "SET NAMES utf8"

; specify more PDO-attributes, provide keys without PDO::
; see http://php.net/manual/en/pdo.setattribute.php
[db_pdo_attributes]
ATTR_CASE = "PDO::CASE_LOWER"
ATTR_ERRMODE = "PDO::ERRMODE_EXCEPTION"
ATTR_EMULATE_PREPARES = false

Since one can't use :: within .ini-file-keys, use constant('PDO::' . $iniKey) in your code to get the desired PDO-constants.