CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

DSN Security & Connection String Secrets

database PHP 5.0+ Intermediate
debt(d5/e5/b5/t5)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5) — tools like trufflehog, gitleaks, and semgrep (from detection_hints.tools) are specialist secret-scanning tools that can detect hardcoded credentials in code or committed .env files, but they require deliberate integration into CI/CD pipelines rather than being default linter behavior.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5) — while the quick_fix suggests using environment variables and secrets managers, remediation often requires: updating config files, modifying deployment scripts, integrating a secrets manager, rotating compromised credentials, and auditing git history; if credentials were committed, they're permanently compromised requiring full credential rotation across all environments.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5) — applies_to shows this affects all PHP contexts (web, cli), and proper secrets management creates ongoing operational overhead: developers need secrets access workflows, CI/CD needs secrets injection, credential rotation must be coordinated, and every new environment or developer requires secrets provisioning; this isn't architectural rework but does impose continuous friction.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5) — the misconception field explicitly states that developers believe 'environment variables are always secure' when they can leak via process listing, phpinfo() pages, error messages dumping $_SERVER, and debug toolbars; this is a documented gotcha that most developers eventually learn but contradicts the common belief that moving credentials to env vars fully solves the security problem.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-07 · reviewed by human

Also Known As

DSN security database credentials connection string secrets

TL;DR

Database credentials in connection strings must never be hardcoded — use environment variables or secrets managers, least-privilege users, and never log DSNs.

Explanation

DSN (Data Source Name) contains host, port, database name, username, and password. Security practices: store in environment variables (not committed .env files), use secrets managers (AWS Secrets Manager, HashiCorp Vault) in production, rotate credentials regularly, use least-privilege DB users (SELECT/INSERT/UPDATE/DELETE only, no DDL for app users), and never log the full DSN. PHP: PDO DSN format 'mysql:host=...;charset=utf8mb4'. Disable phpinfo() in production to prevent config exposure.

Common Misconception

Environment variables are always secure — they can leak via process listing, error messages that dump $_SERVER, phpinfo() pages, and debug toolbars; combine env vars with secrets managers and disable debug features in production.

Why It Matters

A database credential committed to git history is permanently compromised — it is visible in every fork and clone forever; treat any credential that has been committed to git as fully breached.

Common Mistakes

  • Hardcoded credentials in PHP source code committed to git
  • .env file with credentials committed to git — .env must be in .gitignore
  • Database error messages that include the connection DSN
  • Root DB user for the application — use least-privilege users

Code Examples

✗ Vulnerable 
// Credentials hardcoded — in every git clone forever:
$pdo = new PDO(
    'mysql:host=db.internal;dbname=production',
    'root',           // Root user — can DROP entire database!
    'password123',    // Hardcoded — permanently in git history
);
✓ Fixed 
// Credentials from environment — never hardcoded:
$dsn = sprintf(
    'mysql:host=%s;dbname=%s;charset=utf8mb4',
    getenv('DB_HOST') ?: throw new RuntimeException('DB_HOST not set'),
    getenv('DB_NAME') ?: throw new RuntimeException('DB_NAME not set')
);
$pdo = new PDO($dsn, getenv('DB_USER'), getenv('DB_PASS'), [
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
]);
// DB_USER: app_user with SELECT INSERT UPDATE DELETE only (no DDL)
Added 16 Mar 2026
Edited 22 Mar 2026
Views 20

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Perplexity 4 Unknown AI 3 Ahrefs 2 SEMrush 2 Google 1
Also referenced
Environment Variables 48 PDO 35 Hardcoded Credentials 29 Secrets Management 24
How they use it
crawler 16 crawler_json 1 pre-tracking 1
Related categories
php 7.2k security 4.5k database 1.6k linux 535
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Store database credentials in environment variables, never in code or config files committed to git — use a secrets manager (AWS Secrets Manager, Vault) in production for automatic rotation
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
DB password in config/database.php or .env committed to git; connection string with credentials in application code; shared DB credentials across environments
Auto-detectable: ✓ Yes trufflehog gitleaks semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: Medium Context: File
CWE-312 CWE-522
✓ schema.org compliant