Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialJon South
152 PointsQuestion regarding hashing the database connection password
Hi,
I have a question regarding hashing the database connection password.
Right now I connect to the database via PDO. I have a file.ini that will go outside of root with the database credentials. Everything in the ini file is in plaintext right now.
//config.ini db credentials
servername = "localhost"
user = "admin_test"
pass = "treehouse"
dbname = "db_test"
//Retrieve credentials
$config = parse_ini_file("config.ini");
$this->servername = $config['servername'];
$this->dbname = $config['dbname'];
$this->user = $config['user'];
$this->pass = $config['pass'];
//connect to the database
...
Am I supposed to hash the database password or something? My mind is going in circles right now and I can't figure it out. If I hash the plaintext pass then I need to verify it before connecting, but I don't have the key to verify the hash against since leaving any trace of the password in your code is bad practice.
I realize leaving plaintext passwords in your tables is a big no-no in case the database gets hacked. But what about the actual database password? Can I do something about this except leaving the config file outside of root? I'm not really sure how the mysql database handles/stores its own admin password since it's not in a visible table like you would treat any users of your site.
I would love a security class on treehouse. I find this topic really difficult to grasp.
thanks!
1 Answer
Jason Wist
2,483 PointsI think you are confusing protecting your user's username/pw that are stored within the DB with the username/password you use to connect to the DB.
As long as the username/password you use to connect to the DB is kept private you should be OK. ie Don't commit your config.ini file to a repo.
Worrying about hashing and what not for usernames and passwords you store is another thing.
Keep in mind I'm not the best at this stuff and don't sweat it too much. You are just learning at this point and will make mistakes.