Not sure if this is totally code related, but at the least, it's somehow programming/security related.
I have an iPhone mobile app, which sends/retrieves info to/back from my server, which uses PHP to query database. The database needs username and password, unsurprisingly. My question is that I should put the credential in my PHP code or in my iOS app code. If put into PHP page, good thing is that it's on the server, nobody can view the PHP code and gets password, but anyone knows the PHP page can play with it and therefore mess up my db. If put into app code (pass the password to PHP via parameter), good thing is that the PHP page won't function unless password is passed via parameter, but there are couple of disadvantages, I think: password in URL is not safe and password in iOS app in a jail-brake device is not safe either.
One I know a little bit but don't have much know-how is to hash my password in iOS app code, and before passing it to PHP.
There's lots of ways to do this, I've recently done an app similarly myself. First off, the credentials should definitely live on the server. What you should do is use some sort of hash. The iOS app generates a hash based on several things, a bad example would be
md5('supersecretkey' . 'asd123')
The first key is in the PHP code and iOS code, the second is randomly generated. So the app calls the script like this:
script.php?hash=1a79a4d60de6718e8e5b326e338ae533&key=asd123
The script does the function above with the key and the secret key, it now knows that it must have been the iOS app that generated it.
This is a really simple example of one way of thinking about it, in reality someone could still just decompile the iOS app and get the string, it depends how much you think people are going to try and reverse engineer whatever it is you are writing.
Do you want to release an update to your iOS app just because you have a need to change the username or password for your database? Not every one will update.
Your iOS app shouldn't even know there is a database involved behind the website.
Definitely put the database password on the server.
but anyone knows the PHP page can play with it and therefore mess up my db. ... password in URL is not safe and password in iOS app in a jail-brake device is not safe either.
Neither one of these should be considered an acceptable solution as you are relying on all of your users to be well behaved in both cases. You absolutely should not trust your users with your database credentials by including them in your clients. Additionally you should not trust your users to provide only well formed and valid input which will not "mess up" your database.
You should be enforcing authorization and validity checks on any request from a client to verify that the requesting user is authorized to make that request or change and that any change they are making appears reasonable. Regardless of where credentials are stored you should not honor requests to drop the database, overwrite your high scores list, fetch data belonging to other users, make moves as other players, or whatever else a client can ask for unless those are actually permitted actions in the system you are building.