In PHP scripts that communicate with the database I have the username and password to the database in plain text i.e. mysqli_connect('localhost:3306', 'root', 'PASSWORD!')
. From OWASP
Do not include any credentials in your source code, including (but not limited to) usernames, passwords...
How can this be protected? Also as right now each script has the same code for connecting to the database so I'm thinking of making one script (base.php) and including it in everypage that queries the database. Is this ok or is it a security risk? If my description was unclear I'm basically thinking of copying what Cameron Laird does with base in this question.