yii2 config\db.php secure?

I'm using the framework Yii2 for the first time and I was wondering if it is secure to write in plain text my database's password in config\db.php? Or is their a more secure way to access to the database?

2 answers

  • answered 2017-06-17 17:53 Bizley

    It should be secure enough as long you are not exposing this file to public users.

    You can store it anywhere on the server basically (as long as it's not exposed to public users) but application should be able to get it fast and easy (to not provide additional delay for the database connection).

  • answered 2017-06-17 17:53 karpy47

    If you are using Git, I believe it is a bad idea to commit any file with a password in it. Personally I keep a separate file with a few crucial passwords outside of Git and load that file in to get the values, like this...

    $ini = parse_ini_file('path/passwords.ini', true);
    
    return [
        'class'    => 'yii\db\Connection',
        'dsn'      => $config['db']['dsn'],
        'username' => $config['db']['username'],
        'password' => $config['db']['password'],
        'charset'  => 'utf8',
    ];
    

    Where passwords.ini would look like...

    // My password file
    [db]
    dsn="mysql:host=localhost;dbname=xxx"
    username="xxx"
    password="xxx"
    

    You could leave db.php out of Git, but I find this more convenient, especially for other config-files where many settings does not affect security.