Hide config.php Database connection

Hi everybody

Today I'm trying to find a way to hide the connection data to Sugar database.

I know it's written in the config.php file, on dbconfig but We don't want it to be all exposed.

So I'm trying to implement cyberArk and just change this for CyberArk info, also the method that create the connections so it will go to cyberark to get the connection data.

Thank you very much!

  • Hi Gerardo,

    I'm not sure would this solution help you. Since you are trying to just hide the config settings it could work.

    You can keep your password in another place where people wouldn't have access. All you need to give apache to access this file but anybody else.




    And considering your sugar is located


    Then you would create a helper that reads the password from '/my/pass/path/passwords' and puts into your config_override.php like;

    Consider your helper pwdHelper;

    function pwdHelper(key){
       // read the file line by line,
       // implode by =
       // left handside key, right handside is value
       return value;
    $sugar_config['dbconfig']['db_user_name'] = pwdHelper('db_user_name');
    $sugar_config['dbconfig']['db_password'] = pwdHelper('db_password');

    This approach usually works perfectly if you have multiple environments like sandboxes, development and production instance. But maybe this approach could work for you as well.

    Note: This is not a security approach. It's just a way of handling the passwords. 

    Best Regards
    Tevfik Tümer
    Developer Support Engineer

  • Hi Tevfik Tümer

    I like the idea, but here They really want me to use CyberArk since it's the way they handle all passwords for DB connections.

    I might be able to use your idea because the CyberArk connection info can be expose, then in the pwdHelper I can add the functionality to go and get the connection data to CyberArk.

    function pwdHelper(){
       //Go get data to CyberArk
       return arrayData;
    $sugar_config['dbconfig'] = pwdHelper();

    I think this way may be the right way, what do you think?

    Thank you very much.


  • Hi Gerardo,

    Sounds better

    I'm glad it helps.

    Best Regards
    Tevfik Tümer
    Developer Support Engineer

  • Hi Gerardo Garcia Lima

    If that answer really helped you.. mark it has Answer Correct



  • How would this solution handle adjustments to the `config.php` and `config_override.php` due to changes in the Sugar Configuration via the UI or an upgrade (e.g. going to Admin -> System Settings and adjusting the logging level)? Would it correctly re-create the `function` block and reference to it?

  • Hi Matthew,

    I understand your concern and point of view. I personally came up with this idea without testing it. The function that is included through config_override.php can be wiped out in any config changes or upgrade. But you can add that function to another location under custom/include. That way you could make it work both conditions. I again did not test it but this way I believe would work.

    But as this kind of solution, simplest and fastest way would be replaced with the passwords and proceed the upgrade. [possibly you can change the password every after the upgrade that would also increase your security]. 

    Best Regards

    Tevfik Tümer

    Developer Support Engineer

  • Yeah, you're right, I don't do it because I'm testing other options. As you already notice it's a problem to set it on the config_override.php.

    Anyway, the main idea is there so i'll mark it right now.