I developed a php application, and I have a config.php , which store the constant use among the application, in this file, it included all the important information, such as the Mysql server address, port number, user name and passwords. I am worry about someone can get the file, and do something that I don't want, how can I protect this file? Thank you.

• Practice general good password security (don't use dictionary words etc)
• It is good practice to name the file with a .php extension, as you have done, because then the web server is unlikely to be tricked into serving the file as plaintext.
• Make sure config.php is stored outside of web root. That means that if something were to go wrong with your server configuration and it started serving PHP files up as plaintext, you wouldn't leak your database password (because no-one would be able to request config.php).
• Make sure the database credentials are appropriately-named constants, rather than variables. This makes it less likely that you might somehow use them inappropriately (for example, if the password was $password rather than DB_PASSWORD you might do something with the $password variable in the global scope, forgetting that it's in use - unlikely, but a small possibility).

Normally it is just stored in a php file, you can make if belong to the www-data user or what ever your web server is using. If someone does have access to your server they won't be able to open it