I am working on a PHP website and my researches showed that it is entirely possible that the server can get hacked and the PHP files may get exposed. I store the MySQL DB Username and Password within the PHP files in the form of constants, which is then used while forming the connection string.
define("HOSTNAME","hostname.com:2086");
define("DBNAME","databasename");
define("DBUSER","databaseusername");
define("DBPASS","databasepassword!");
/* Defining DB Handler */
try{
$DBH = new PDO("mysql:host=".HOSTNAME.";dbname=".DBNAME, DBUSER, DBPASS);
$DBH->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$DBH->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
}
catch(PDOException $e){
echo $e->getMessage();
}
If by any case the PHP files get exposed, this would cause the database and its contents to be at risk too. Am I doing it wrong? Is there a better way to ensure the safety of the database even if the PHP files get exposed?