Just looking for some tips if this is good enough or if i should do anything different to "hide" my database credentials. Been searching for a long time. I have found alot of ways to do this and feel everyone does it a different way. So wondering if this is good enough. Thank you.
Right now I'm storing a config.ini file with my database credentials outside of the public directory.
Then inside the public directory I got a folder name db_includes. This is where i have my db connection php file. This is the code for the database connection.
$config = parse_ini_file('../../private/config.ini');
$db = new \PDO('mysql:dbname='.$config['DB_NAME'].';host='.$config['DB_SERVER'].';charset=utf8mb4', ''.$config['DB_USERNAME'].'', ''.$config['DB_PWD'].'');
Also inside the db_includes folder i got a .htaccess file that has "deny from all" so its not possible to get to that db_includes folder or the database connection file.
Is this good or should i also move the database connection file outside of the public directory and just call it when i need it?
There's a few ways of doing it. First, I recommend using a PHP file to store the credentials, this way if your htaccess fails, the php file will be parsed anyway and your credentials won't appear:
config.php:
<?php
return [
"DB_NAME" => "database",
"DB_USER" => "user"
// ...
];
Wherever you need:
$config = require "path/to/config.php";
$db = new \PDO('mysql:dbname='.$config['DB_NAME'].';host='.$config['DB_SERVER'].';charset=utf8mb4', ''.$config['DB_USERNAME'].'', ''.$config['DB_PWD'].'');
If possible, keep it outside your public folder as it is a good way to make it safe.
Remember that if your database and server is well configured and safe enough you don't need to worry about database credentials.
What is the best approach to storing a group of global settings for a custom PHP application? I am working on a personal project (first major one really), and need a method of storing key-value pairs for recording overall settings for the application.
Things to store as...
Website's Global Name.
Theme (just a variable, or path to theme)
etc
Should I just keep them in one table? If so what is the best way to query them from a boostrap? Besides doing a single query for each desired setting.
UPDATE:
Yes a .ini or parsing an include file would be nice, and I know how to do it that way. But I wanted to know what would be the best approach to storing them in MySQL with everything else.
UPDATE2:
The reason I ask this also is I plan for a lot of these settings to be changeable through the Administrator interface. So if you were to change the Title of the site, it would be updated right away, which I figured would be best to do through SQL, thus needing setting inside the DB.
For a single, small, simple site, I'd just put config in a PHP file. Keep it simple. PHP probably doesn't parse anything faster than it parses PHP. If you use APC, the compiled bytecode is even cached -- although the bytecode is then re-executed for every request. For a small config file, this bytecode execution should take very little time; for a very large file, it might take a bit longer.
For high-traffic sites with large configs, caching your config data in APC (e.g. as a single array) is a good idea -- at the very least, you save the overhead of actually executing the statements in your config.php file. Notably, facebook does this. When you're serving many requests per second, hitting the disk to read a config file (using parse_ini_file, an XML parser, etc.) on every request is out of the question.
For my current project, we host many sites, each with their own config. Each site had both a database and a config file; however, making sure you're always using the right config file with the right database can become a headache. Additionally, changes would require changing things in two places -- the db and the config. Forgetting one or the other always caused problems, and it happened far too frequently.
We moved the config into the database, so that you can't possibly separate a db from it's correct config, and any code changes only require updating the database. The data from the config table is also aggressively cached in APC, so we query it rarely.
So, to recap:
Small site: just use a config.php file
Very large site: cache in APC
Multiple sites: store config in database to reduce administration overhead; cache in APC to reduce database hits
Have you thought about putting them in a .php file and including it on the pages you need to use them? Give the variables a unique name so avoid naming conflicts.
Since you'll be using them repeatedly in your PHP application, this would be most ideal. This also avoids the need to make database calls if you were to store them in a database.
AppSettings.php
<?php
$_SITENAME_ = 'MyWebsite';
$_THEME_ = 'Theme/Path';
?>
UPDATE:
I assume you want these settings to be editable via a web page and don't want multiple DB Queries since these settings will change, but not too often?
One approach I personally took was to serialize the AppSettings table and store it in a XML file. Of course, every time the table is updated, the table would be reserialized and stored in the XML file. Then I created a separate class that parses the XML file and returns the specific values I needed.
We just use
$siteConfig['db_name'] = 'database1';
$siteConfig['site_name'] = 'Stackoverflow';
In a included php file. Putting the values in a array helps with name conflicts.
i understand you want to keep things in a mysql table, however, that likely means storing required configuration in multiple places. for example, i'm sure you'll want the database server and name stored in a string somewhere. that means putting those in an include or .ini file since you can't read them from a database (how can you connect to the database without knowing those things). so, you'd be keeping the db connection info in an include or .ini file and the rest of the settings in the database? that works, i suppose, but i like to keep all of the settings in one file (config.php or application.ini or whatever). it makes it easier to maintain imo.
-don
Just got done chatting with a few people on IRC about this. I looked at how Wordpress handled this after I pulled up a SQL dump of one copy. I think I'll use this layout and rename the columns a bit. But the idea is...
option_id | option_name | option_value | autoload
int | varchar | longtext | varchar
(PRIMARY) | (UNIQUE) | |
I liked Microsoft.Net's web.config ConfigurationManager.appSettings and how that worked. So I mimicked it and kinda made it better. It
Works in any environment without having to swap files (which I always forget, especially when deploying on Friday at 4:59 p.m.)
Is self documenting on what the function call is
Can handle global settings with *
<?php
namespace Library {
// the config depends on the environment, and the environment depends on the website url
class Configuration {
private static $environment;
public static function GetEnvironment(){
if(empty(Configuration::$environment)){
// returns 'dev' or 'prod'
switch($_SERVER['SERVER_NAME']){
case 'innitech.com':
Configuration::$environment = 'prod';
default:
Configuration::$environment = 'dev';
}
}
return Configuration::$environment;
}
private const settings = [
"dev" => [
'dbserver' => 'localhost',
'database' => 'mydb',
'dbuser' => 'myuser',
'dbpassword' => 'mypass',
'dbdebug' => false,
'trace' => true
],
'prod' => [
'dbserver' => 'sql1.innitech.com',
'database' => 'blahinc',
'dbuser' => 'proddb',
'dbpassword' => 'ButIWasToldiDgETaStApLer',
],
'*' => [
'adminemail' => 'admins#innitech.com',
'adminphone' => '123456789',
'dbdebug' => false,
'trace' => false
]
];
public static function Setting($name){
return self::setting[self::GetEnvironment()][$name] ??
self::setting['*'][$name];
}
}
}
?>
Usage
$conn = new mysqli(Configuration::Setting('dbserver'), Configuration::Setting('dbuser'), Configuration::Setting('dbpassword'), Configuration::Setting('database'));
What has mentioned before, is true. I like the one more than the other, but I mostly use another way of storing my configuration.
I never use a database as the place to store my settings, because that would create a lot of data transfers, which can make the application a little more insecure- in my opinion. Besides, some application hosts (like Amazon's AWS and Google's Cloud Platform) limit the read/write actions to a database.
Therefore, I mostly use this method:
Firstly, I create a file config/settings.php with the following contents:
<?php
return [
'database' => [
'host' => 'localhost',
'port' => 3006,
'user' => 'username',
'password' => // your secret password
],
'application' => [
'name' => 'Your site\'s name',
'version' => '1.0-dev'
]
]
When you want to use this in you index.php file, add the following line in it:
$config = include('./config/settings.php');
I hope this can add some information for you or others.
I generally within my index.php file set up the "required" settings so:
<?php
session_start();
ob_start();
define('BASEPATH', $_SERVER['DOCUMENT_ROOT'].'/_setUp/siteSetup/'); // CHANGE TO THE PATH OF THE SITE.
define('URIPATH', 'http://localhost/_setUp/siteSetup/'); // CHANGE TO THE URL OF THE SITE.
define ('DEBUGGER', true); // CHANGE TO FALSE TO HIDE DEBUG MESSAGES
include(BASEPATH.'system/lib/config.lib.php');
?>
and within my config file:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
// public
/*
example:
<img src="<?php echo IMG ?>my_image.jpg">
http://localhost/public/images/
<img src="http://localhost/public/images/my_image.jpg">
*/
define('CSS', URIPATH.'public/css/'); // DEFINE DIR: css
define('IMG', URIPATH.'public/images/'); // DEFINE DIR: images
define('JS', URIPATH.'public/scripts/'); // DEFINE DIR: scripts
// system
define('INC', BASEPATH.'system/includes/'); // DEFINE DIR: includes
define('LIB', BASEPATH.'system/lib/'); // DEFINE DIR: lib
define('SQL', BASEPATH.'system/sql/'); // DEFINE DIR: sql
if (DEBUGGER) {
ini_set('log_errors',TRUE);
ini_set("error_log", BASEPATH.'system/'."error_log.txt");
}
else {
ini_set('log_errors',TRUE);
ini_set("error_log", BASEPATH.'system/'."error_log.txt");
}
$db_info = array(
'host' => 'localhost',
'username' => 'root',
'password' => 'root',
'database' => 'my_db'
);
/*
to use:
$db_info = unserialize(DB_INFO);
echo $db_info['host'];
echo $db_info['username'];
echo $db_info['password'];
echo $db_info['database'];
*/
define('DB_INFO', serialize($db_info));
?>
A decent approach would be to fetch commonly used settings once per page, via database. Something like keeping a autoload bool field that checks whether the setting should be loaded with the page. For other, much less commonly fetched settings, you can fetch them over the air.
If you decide to cache them all instead of fetching for every page, you might want to think of a way to notify the script to reload the settings -- or you'd have to manually tell it to do so, so you wouldn't get stuck with old settings after changing some.
I'm working with a system that does store its settings in the database.
My advice in short: Do not do it!
Storing the settings in the database means, whenever we have to move the database, e.g. from production to development, we also have to update all the settings, or the dev system might start sending e-mails (did happen--made front-page news...) or interact with production systems (also happened--saved by backups...)
So, no, never store the configuration in the database!
When you store the settings in a file, local to the environment (dev, test, prod) you can move the database around at your leisure, always assured the settings will be picked up from the file in the respective environment.
Update: Giving it some more thought I'd probably go for a combination of a table (non-lethal information without server info or integration info or anything else that will kill you if it isn't environment specific) and a .ini-file (or several).
The rule would be that a key in a .ini-file would always override anything stored in the table (to prevent above disasters, maybe even make that key "read-only" from any UI).
If you want to get extra fancy you might even add value types; boolean represented as a checkbox, dates with a date selector, even select boxes with separated option values, and of course ints that would have to be numbers even if the table might store them as strings.
Then I'd look into using some form of memory-based caching if reading the settings got slow.
I know Magento stores the database connection details within the local.xml file, however our firm is trying to avoid passwords and other sensitive data being stored within our git repo's for security purposes.
I know you can create Environment Variables easily via an .htaccess file, but I'm hoping to find a workable solution that will enable me to set this database information dynamically from a environment variable.
As the local.xml is an XML file and as this is a non dynamic/server-side filetype we cannot use it to read environment variables.
Would there be a way to somehow add in some hook/custom behaviour to Magento in which I could replace the local.xml with a PHP file that will allow me to pull in these environment variables?
So in a sense, the local.XML would become a local.PHP file with the ability to read my own custom environment variables such DB_HOST, DB_USERNAME, DB_PASSWORD rather than having them already set in the xml file as localhost, root, password123 etc.
Any ideas on how best to achieve this, or are there any existing Magento add-ons/extensions/mods that will allow me to do this?
I would suggest git ignore your local.xml and dynamically create it with your deploy script. your deploy script should have your sensitive data variables.
I found an alternative solution to the problem. I extended Mage_Core_Model_Config_Element and overrode the 'xmlentities' function to check if the configuration value it is returning starts with a dollar sign, and if so substitute it with the equivalent environment variable.
If it helps anyone else, here it is...
https://github.com/rossigee/magento-config-envvars
Please try this solution:
copy app/code/core/Mage/Core/Model/App.php to app/code/local/Mage/Core/Model/App.php and replace the _initBaseConfig() method with the following one:
protected function _initBaseConfig()
{
Varien_Profiler::start('mage::app::init::system_config');
$this->_config->loadBase();
/* Read DB connection config from environment variables */
$connection = $this->_config->getNode('global/resources/default_setup/connection');
$connection->setNode('host', $_ENV['DB_HOST']);
$connection->setNode('username', $_ENV['DB_USERNAME']);
$connection->setNode('password', $_ENV['DB_PASSWORD']);
Varien_Profiler::stop('mage::app::init::system_config');
return $this;
}
This must help.
* EDIT
protected function _initBaseConfig()
{
Varien_Profiler::start('mage::app::init::system_config');
$this->_config->loadBase();
/* Read DB connection config from environment variables */
$this->_config->getNode('global/resources/default_setup/connection')
->setNode('host', $_ENV['DB_HOST'])
->setNode('username', $_ENV['DB_USERNAME'])
->setNode('password', $_ENV['DB_PASSWORD']);
Varien_Profiler::stop('mage::app::init::system_config');
return $this;
}
Have you considered simply adding local.xml to .gitignore and creating/updating it as part of your deployment process? Note that local.xml typically stores more than just database credentials. For example, it might also store the configuration for the caching backend(s) as and session storage. These are usually also server specific, and will make things very messy if you try to avoid using local.xml.
I am defining my database in the php file
define ('DB_HOSTNAME', 'localhost');
define ('DB_USERNAME', 'user');
define ('DB_PASSWORD', 'pass');
define ('DB_DATABASE', 'dbase');
Is there a built in way I can store an encrypted / hashed password in a text file and then de encrypt it in the program rather than storing my password in my source code.
I back up my source codes to repository thats accessible to lots of people.. beyond my group too..
Then what you want is to separate the sensitive configuration from the source code. Don't check it into the repository, keep it in a protected file somewhere on trusted computers and only deploy it to the production server separately from the code.
I'm building a service, which has a few cronjobs running, written in Python. However, this is my first Python-project ever, so I'm still a very beginner.
What I'm doing now, is that I have my database-connection handled on every file, so basically if I wanted to change the host, I would need to go through all the files. I'm now looking into a PHP-include() similar method for Python, so that I could include some general stuff instead of copy-pasting.
Also, the Python-files are ran in cronjob, so the method should work on cronjobs too :)
If it's really just a couple of settings for a single database connection, just put it in a Python module and import it in all of your files. Why add any complexity you don't need?
If it's more complicated, use ConfigParser as #AdamMatan suggested.
# dbconfig.py
host = '127.0.0.1'
user = 'stack'
password = 'overflow'
# db.py
import dbconfig
print dbconfig.host
print dbconfig.user
print dbconfig.password
Use an external configuration file, with your db connection (host, name, password, db, ...) in it, and read the configuration file from within the Python script.
This makes changes easy (even for non-programmers) and nicely complies with the Single Choice Principle.
Example:
db.cfg
[db]
host=127.0.0.1
user=stack
password=overflow
db.py
import ConfigParser
config = ConfigParser.ConfigParser()
config.readfp(open('db.cfg'))
print config.get('db', 'host')
Execution result:
127.0.0.1
If you need to call __import__(), you are doing it wrong.
You need to refactor your code so that you no longer have the database connection routines scattered throughout your codebase. Yes, it would be even nicer to have these details in a configuration file (+1 #Adam Matan), but first you need to eliminate the duplication. This will save you a world of pain in the long run.