: How to secure database access I am developing a personal web-site with a lot of relatively sensitive (genealogical) information stored in a MySQL database. The site engine is written in PHP.
I am developing a personal web-site with a lot of relatively sensitive (genealogical) information stored in a MySQL database. The site engine is written in PHP. So far (prototype phase) I have only one MySQL account and have hard-coded the database login and password in PHP and implemented user authentication independently from MySQL authentication. So as long as people access my web-site via my PHP engine, it is secure. However if someone manages to get the PHP code itself, they will get full access to the database.
Is it possible and is it a good practice to additionally secure the database by creating a separate MySQL account for each site user and use user password to access MySQL? If yes, then would it be possible to somehow securely store the database login/password between sessions (to enable "remember me" functionality)?
I don't have much experience in web development, this is my first project involving a self-programmed CMS.
More posts by @Welton855
1 Comments
Sorted by latest first Latest Oldest Best
No, it's not good practice to create a database user for every site user. The way you have things setup now is pretty standard. It shouldn't be possible for people to get access to passwords stored in your PHP code unless your server is compromised, and that's pretty much the worst case scenario.
The only caveat is that if you are using some form of source control for your project (e.g. Git), you shouldn't be keeping configuration files that contain passwords in the repository. That way you avoid accidentally exposing passwords if you're using a service like Github, or if you need to give other people access to your code.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.