Suppose I have a .php script on my server which interacts with a MySQL server.
Part of it is:
function sqlQuery($queryString) {
...
$mysqli = new mysqli("theHost:some-port",
"DB_allowed_username",
"password123", "dbName");
...
}
This script is solely server-side, and something like DevTools or view-source://web.address will not show the source code.
However, it is really important that nobody is able to see this source code because it bears my username and password for one of the privileged users of the database. Is there some other way someone could discover these details, and if so, how do I hide them more securely?
Note:- currently I have an SSL certificate but it is not guaranteed that I will have it indefinitely.
Advertisement
Answer
Browsers can see the PHP code only if your http server becomes misconfigured. I have seen this happen for example on Apache if the PHP handler directives are removed from the httpd.conf file. Then the code in .php files is delivered to browsers as-is.
A good way to protect your password against that (rare) possibility is to store the password in a config file that is read by your PHP code, and put the config file outside the Apache document root directory.