Use . ini file to save connection data to DB?

Question

Use . ini file to save connection data to DB?

Asked 6 years, 8 months ago

Viewed 342 times

0

Hello,

Using file . ini to save database connection data is a bad practice?

this is not enough. You need to configure your web server not to let download the file by typing the path in the browser

– Israel Zebulon

2018/03/21 at 21:49
What’s not hard to do @Israelzebulon, but using txt file is actually harder to maintain. Using a static or constant class, with include that is even simpler in the answer below

– Sveen

2018/03/21 at 22:26

1 answer

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.

by Guilherme Nascimento • **98,651** points · Answer 1 · 2018-03-21T22:09:04+00:00

It is not a matter of good practice or bad practice, it is a matter of whether you know how you are doing, for example in the Password of the main bank .env (this file is basically a format .ini only that it uses a custom extension):

https://github.com/laravel/laravel/blob/master/.env.example#L14

But the folder where the data is not available via HTTP (access via site url), because the addresses are pointed to inside the folder ./public

Of course there are programers (pseudo-programmers) who do not understand the logic of the structure of the folder public_html or www in hosting and create a .htaccess without having much understanding about it, which can sometimes end up allowing access to the .env via URL http://site/.env

Now you know what you’re doing, that your .ini will be isolated in a place that only scripts and the administrator will be able to access so there would be no problem.

Of course you can also choose to create a .php with define, for example:

There’s a file called config.php with this content:

<?php
define('DB_HOST', '12*.***.***');
define('DB_USER', 'foo');
define('DB_PASS', 'bar');
define('DB_MAIN', 'banco');

Then it should be included in all main scripts with:

<?php

require_once 'config.php';

...

In mysql would use something like (just an approximate example):

 $link = mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_MAIN);

PDO (just an approximate example):

 $dbh = new PDO('mysql:host=' + DB_HOST + ';dbname=' + DB_MAIN, DB_USER, DB_PASS);

So if the user accesses via URL http://site/config.php only one blank page will be visible.

One important thing to do is to always turn off the errors in the output and keep only in the log by sitting in php.ini:

 display_errors=off

This is because some debuggers, such as Laravel and other frameworks can display parts of the code, in fact it is a huge mistake to turn on the debuggers in production (on your hosting server), debuggers should be used only in safe environments, as on your machine.