CodeIgniter Forums
proper place to keep userid and password for mysql - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: proper place to keep userid and password for mysql (/showthread.php?tid=74689)

Pages: 1 2

proper place to keep userid and password for mysql - richb201 - 10-25-2019

Where should I keep the userid and password? Should they be put in a .env file? Right now I have the userid and password hard coded into database.php. That can't be right? Where should I keep those fields

RE: proper place to keep userid and password for mysql - InsiteFX - 10-25-2019

Please read this first.

Paragon Initiative Enterprises Blog - The 2018 Guide to Building Secure PHP Software

RE: proper place to keep userid and password for mysql - richb201 - 10-25-2019

Thanks Insite. Lots of good info in there. It would take me a year or longer to do all the things it mentions. I guess the goal would be to pick the 5 most important ones, and fix those. What are the five most important?

Anyway, I am in the middle of Dockerizing my app and have mysql in separate container from the php 7.2. So clearly I will need to modify the way my app logs in to mysql, such as using the container name. But since I am touching this part of the code, I figured it is a good time to take my userid/password out of the code and place it somewhere more secure.

Perhaps this is a question for the Docker people? One idea is to make env variables out of them and pass them into the container in the docker-compose.yml?

RE: proper place to keep userid and password for mysql - jreklund - 10-25-2019

As long as the files aren't accessible from a URL you are safe. You need to have your application, system folders outside your document_root.

/application
/system
/public/index.php
/public/assets/* (js, css, img)

RE: proper place to keep userid and password for mysql - richb201 - 10-25-2019

I am glad I asked!
/opt/docker-substantiator
    /apache
    /app
        /application
            /cache
            /config
            /controllers
            /core
            .
            .
        /assets
        /css
        /images
        /js
        /system
        /uploads
        /vendor
        composer.json
        index.php
    /mysql
    /php
    docker-compose.yml
    .env


I think my document root is /app. What do I need to do?

RE: proper place to keep userid and password for mysql - jreklund - 10-26-2019

You can find the information in the Docs, on what you need to change to be able to move the application and system folder.
https://codeigniter.com/user_guide/installation/index.html

RE: proper place to keep userid and password for mysql - richb201 - 10-26-2019

(10-26-2019, 01:39 AM)jreklund Wrote: You can find the information in the Docs, on what you need to change to be able to move the application and system folder.
https://codeigniter.com/user_guide/installation/index.html
On my Docker install on my laptop base url= 'http://localhost' is aok. I really only have a local install so far. 

When I finally put the whole thing up on my server, the base url will be different.  It seems to be saying to just set my view folder to point outside the application folder. That I can do and reset the $view_folder in index.php.  But right now the userid and password of the mysql sit in .env. This is ABOVE the app directory. 
/opt
    /docker-substantiator
        .env
        /app     <<<includes the /application, /system, /vendor, etc

So .env is not accessible from doc root. Is that sufficient for holding my passwords? Must /system be moved?

RE: proper place to keep userid and password for mysql - jreklund - 10-26-2019

Your password are safe. The reason for that you don't want /application and /system folder inside your /app folder are in case of a miss-configured server and your source code can be downloaded or displayed in plain text.

RE: proper place to keep userid and password for mysql - richb201 - 10-27-2019

I moved the /application directory to /opt/docker-substantiator/application.
I also changed the line in index.php to:

$application_folder = '/opt/docker-substantiator/application';

When I type localhost in my browser I now get:
Your application folder path does not appear to be set correctly. Please open the following file and correct this: index.php

Any idea what went wrong?

RE: proper place to keep userid and password for mysql - jreklund - 10-27-2019

Nope, I have never used Docker. And I probably never will. I don't see the need to package a application that way.

My guess are that directory don't get mounted, or just not mounted with /opt being accessible as root.

Try with ../application instead.