On Tue, Nov 1, 2011 at 8:24 AM, Florian Müller <floripipo@xxxxxxxxxxx> wrote: > > Hi all > I got a little question about a good application design in PHP. > If I use a mysql connection for example, I have to store my mysql-password somewhere in the code. If it's just in the mysql-class, that's not that good, because if somebody changes the functionality, he'd see it. > I also can't store it in a text file. Until now, I just created a password class where all the passwords are described and i can get them by a get-function. > Where are passwords stored in the big applications? There has to be at least one big masterpassword somewhere - how can I store it safely? How is this problem solved in big systems in production? > Thanks for help ;) Regs, Flo. As Alain and Jim have replied, storing the password in a file outside the reach of the web server is important. I find it interesting to hear you say you can't store the password in a text file but you seem to be able to store it in a .php class -- which is also a file on the system. In what way is this safer than than storing it in a text file (unless you mean the text file was visible to the web server -- then I understand). In large production systems I've worked on, the passwords were maintained by the IT support group, and you had to use special functions to get them in your application that only they maintained the interface to. This way, they could control who had access to what databases for dev, test, stage and production. It also did generate a bit of a bureaucracy for the company to maintain this, so it has to be thought through rather carefully. (What happens when the IT people who knew the passwords and access software leave, etc.) For an application farm, having this in one place well-known to the Ops, Dev, Test and Integration people is the best solution. Using a single data base user and password for all applications is not a bad thing as long as they're for the same domain/company, as long as that fits their security needs/policies. I wouldn't use the same db name & password for different clients' installations, however. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
