Database Connection details exposed in html

beach_defender

I have just taken over development of an existing PHP/Zf2/Doctrine based mapping (leaflet.js) application which uses Datatables as a core part of the ViewModel.

I was horrified to find that a previous developer has coded the host, port, dname, username and password in clear javascript in index.html

All one needs to do to find them is view script of the page, even before logging in.

Leaflet uses REST calls and these db details are not relevant to it.

My quandry is that I have a lot of implementations out there (~100) and a queasy feeling in my stomach.

I'd like to migrate to have Datatools using Doctrine directly. No need then to expose the connection details.

And I need to share the pain.
If anyone has suggested way forward that would be great.

We are still trying to understand how deep the hole is. We may need to pay to have the work done.

Thanks in advance.
Barry