basic php - mySQL database login question

[JohnDahl]

The w3schools tutorials are well written and very clear, but when I got to the MySQL database section red flags went up:

https://www.w3schools.com/php/php_mysql_connect.asp

specifically this code snippet:

<?php
$servername = "localhost";
$username = "username";
$password = "password";

yada yada yada...
?>

 

The password in plain text? Just so? Without comment or explanation? That CAN'T be right...

Surely the password should be obscured somehow, correct? Aren't there security concerns here? Regardless this should be explained or commented on somewhere on that page.

 

Today I put this php code snippet in a protected folder and used the "include" keyword to access the database, but still the password is saved in plain text.

 

[Ingolme]

The password is never sent over the internet, this is just source code of a program that only ever gets executed on the server.

[dsonesuk]

True the password for an example is simple text, but unless you can view that file through an actual editor, all you will ever see opening the php file with just that snippet on the server is a blank page.

[justsomeguy]

The only danger there is if an attacker has access to your filesystem then they can read the contents of files like that.  But if an attacker has access to your filesystem then you have bigger problems than leaking a database password.

[JohnDahl]

On 8/15/2018 at 8:17 PM, dsonesuk said:

True the password for an example is simple text, but unless you can view that file through an actual editor, all you will ever see opening the php file with just that snippet on the server is a blank page.

 

On 8/15/2018 at 9:15 PM, justsomeguy said:

The only danger there is if an attacker has access to your filesystem then they can read the contents of files like that.  But if an attacker has access to your filesystem then you have bigger problems than leaking a database password.

OK, thank you both for replying (I never received a notification despite subscribing to the topic!??)

It just seems so wrong to put a password in plain text - I was expecting something like Linux "shadow passwords" where the password is obfuscated. There do exist software packages that encrypt php code, like Zend guard, but this is overkill in my case (and expensive).

Although justsomeguy (I like that name) makes a good point, it would makes sense for w3schools to explicitly point out that plain text passwords in the php file is "normal", and why this is ok. I never get warm fuzzies when I see plaintext passwords.

Since the website runs on a linux platform maybe sometime later I will look into shadow passwords for that php code. If nothing else I will learn more about linux security.