Store them in a file outside web root.

Put the database password in a file, make it read-only to the user serving the files.

Unless you have some means of only allowing the php server process to access the database, this is pretty much all you can do.

Previously we stored DB user/pass in a configuration file, but have since hit paranoid mode -- adopting a policy of Defence in Depth.

If your application is compromised, the user will have read access to your configuration file and so there is potential for a cracker to read this information. Configuration files can also get caught up in version control, or copied around servers.

We have switched to storing user/pass in environment variables set in the Apache VirtualHost. This configuration is only readable by root -- hopefully your Apache user is not running as root.

The con with this is that now the password is in a Global PHP variable.

To mitigate this risk we have the following precautions:

• The password is encrypted. We extend the PDO class to include logic for decrypting the password. If someone reads the code where we establish a connection, it won't be obvious that the connection is being established with an encrypted password and not the password itself.
• The encrypted password is moved from the global variables into a private variable The application does this immediately to reduce the window that the value is available in the global space.
• phpinfo() is disabled. PHPInfo is an easy target to get an overview of everything, including environment variables.

Just putting it into a config file somewhere is the way it's usually done. Just make sure you:

1. disallow database access from any servers outside your network,
2. take care not to accidentally show the password to users (in an error message, or through PHP files accidentally being served as HTML, etcetera.)

We have solved it in this way:

1. Use memcache on server, with open connection from other password server.
2. Save to memcache the password (or even all the password.php file encrypted) plus the decrypt key.
3. The web site, calls the memcache key holding the password file passphrase and decrypt in memory all the passwords.
4. The password server send a new encrypted password file every 5 minutes.
5. If you using encrypted password.php on your project, you put an audit, that check if this file was touched externally - or viewed. When this happens, you automatically can clean the memory, as well as close the server for access.

If you are using PostgreSQL, then it looks in ~/.pgpass for passwords automatically. See the manual for more information.