Let's say you have a config.php that holds sensitive information like a DB user password. It is not recommended to store that file in the document root, right?
Why is that so and is it a safer approach to store sensitive information in the index.php of the document root?
For me, the first scenario that comes to mind is a misconfiguration that lets users download or view .php files, rather than parse them and present them as text/html. Say you perform an upgrade, something goes wrong, and Apache is no longer parsing your scripts. Somebody notices that Apache is sending your PHP files as plain text, and is able to open config.php and see the source code (and all the sensitive database configuration parameters inside).
To take this idea just a little bit further. Ideally you wouldn't store much more than a simple script that accesses your codebase, and your static files like images and css in the web root.
eg:
webroot/index.php
webroot/images/img1.jpg
webroot/images/img2.jpg
webroot/css/base.css
lib/myclass1.php
lib/myclass2.php
And your index.php would look something like this:
<?php
$CODEBASE = '/usr/home/wwwuser/wherever/it/is';
include $CODEBASE."/lib/myclass1.php";
$code = new MyClass1();
$code->doStuff();
?>
It's not a safer approach to store configuration data in index.php than config.php; they are both equally prone to being displayed if PHP somehow fails to parse their contents. The advantage to using a separate file for configuration data is that you may limit access to it, effectively preventing anyone from reading it over the HTTP protocol and keeping your data safe(r) even if PHP isn't parsing it.
Related
I have an HTML file with a Form on it, where once the user clicks "submit", a PHP file is called which connects to a MySQL database and updates it with data from the Form.
Question is, how do I mask/hide the passwords to the MySQL database in my PHP code file?
I'm reading all sorts of things about working with "config" files and/or moving things into different directories so as to prevent others from accessing them - I get it in theory - but what are the actual steps I'm supposed to take to make this happen? Like where do I start? What's step #1, what's step#2, etc?
Everyone seems to offer little snippets of code, but I haven't found any good start-to-finish tutorial on this.
I called GoDaddy - where my account & DB are sitting - to see if their tech-support guys could help - no one was able to tell me what exactly to do, where to start, etc.
Can anyone out there help?
I think the other answers here are missing the point. If I'm not mistaken, you're talking about your mysql user password. The one which you use to establish a connection to the database in the first place. Right?
Well, you don't hide this. It's in a php file which is code. The public can't read your code (assuming your server is secure) so don't worry about that. Yes, your password is stored simply as text in a php file. It's fine.
A PHP file can include other PHP files that are outside the document root. So if you make a config file (in your case it could just be a fancy name for a file that defines a bunch of variables) and place it outside the document root of your webserver, and then include this file in your client-facing PHP file, that should do the trick.
The reason to put it outside your client-facing PHP file and outside the document root is if somehow through some exploit someone was able to access the actual PHP code.
EDIT following comment from OP:
Your config file could be just like any other PHP file, beginning with <?php and ending with ?>. In between you would define at least one or two variables - $db_username and $db_password and set them equal to their corresponding values. Make note of where you put this file, and in the file that needs to establish a DB connection, just put include('/path/to/config/file'); and use the variables you defined in the mysql_connect command.
I have a site complete with CMS etc all working under one domain name. It turns out for legal reasons one page on this site has to sit on a different domain name. The page is hooked into the same CMS as the rest of the site (built using codeigniter). I don't want to have to do another installation just for this page.
Is there any simple way to display just this page under a different domain name without taking it out of the current application?
Thanks a lot
You should look at either (in order):
an include()with correct php.ini configuration
a file_get_content() and printing the variable into your page
an <iframe src="yoururl"> wich would be the easy peasy but unsafe way
using the on-purprose curllibrary
using fopen() wich theorically allows distant files to be opened, but based on my experience, it's not that reliable
Look at this site, it seems rather exhaustive regarding your problem.
Try including the file
<?php include 'http://www.domain.com/url/to/file/page.html' ?>
I think what you need here is a symlink, which is something I don't know too much about. My understanding is that the path displayed to the user does not in fact have to have anything to do with where the file is actually stored, meaning you can set this up to have a completely different URL while keeping it as part of your original application.
A simpler thing is doing a redirect...it's one line of code in your .htaccess file and you're good to go.
include is a possible solution depending on the format of the remote page (ie, this won't work very well if the remote page has a full DOM structure, and you're trying to include the remote page within the DOM structure of your CMS page), however more information about that remote page would be needed to help determine if include() alone would be enough.
Regardless, if include() does, work, you must make sure allow_url_include in php.ini is enabled, as by default script execution will terminate when encoutering a remote URL include statement.
i have been given a php application as an internship project to clean up. The developer before has declared stuff like dbhost,dbuser so many times. On each script page. I was wondering what sort of design php developers use to get around this. i.e making a property file ? etc..
Generally most applications have a common include file, usually named something like "bootstrap", that defines global options and values and sets up some initialisation code. Then each page that is requested includes this file first.
In your case you'd put your database configuration in this bootstrap (perhaps traditionally in /includes/bootstrap.php), then for each page where it is required require "./includes/bootstrap.php";.
As an example, phpBB includes its 'kernel bootstrapper' on each page.
In order to avoid errors you should use require_once:
require_once "./includes/bootstrap.php";
This way even if multiple scripts try to include that specific file it is only included once.
Do not make a property file, or, if you insist, be certain that it cannot be downloaded through HTTP. The advantage of a PHP file is that, even if hackers guess the file name, it won't reveal much.
Put all DB credentials into a separate .PHP file, e.g. db_settings.php and then insert everywhere
<?
...
include "db_settings.php";
... ?>
You may even insert database connection code into the same file.
Can I make my .htaccess be generated with php?
I would like to use php to dynamicly create my htaccess file from information from the database.
It would save me the trouble of making a new .htaccess file whenever I change a bit of my code.
You can read and write files with the file system functions, for example:
$data = <<<EOF
RewriteEngine on
RewriteRule …
EOF;
file_put_contents('.htaccess', $data);
But it would be more flexible if you use one static rule that redirect the requests to your PHP file that then does the rest.
Can you? Sure. You can create files in the filesystem with PHP so long as you have permissions.
Should you? Well, if you are only using PHP in "command-line" mode, I suppose it's as good as another scripting language. If you are doing so from a website, I would say this is a bad idea for security reasons. Another technology might be more appropriate (if you originally had XML, then XSLT would come to mind, but you're using mysql, so you'll need some other kind of script).
You definitely can generate your .htaccess with PHP if you had a backend script to do it - say in your admin area. But it seems risky and potentially unnecessary? if something goes wrong, your site will be down until you fix it - that potentially means the page you're using to generate it. Why not just create an interface that generates the new rules for you from a database, then you can have a quick look over and copy them in?
What exactly is it that you're trying to update?
Ok so this is my situation...a web application in PHP uses a "config" file for various parameters. This config file is nothing but a php file, say config.php with a global array of the form
$config['param_name'] = 'param_value';
$config['param_name2'] = 'param_value2';
Now I am currently writing an admin app that I want to use to control the main app. One of the things I want the admin app to be able to do is change the config values. So my use case will be something like change the value through an html form element and it should change the config.php replacing the value of the corresponding array index.
This is obviously not specific to php; but I'd love to hear some ideas on how one would go about editing this file. Any ideas?
Thanks!
I have another suggestion: have the configuration parameters sit in a database. Have your admin console work on the database instead.
If you are worried about performance, use APC to cache the parameters.
This way, you can add this configuration database to your other database backup procedure you have already in place.
I would suggest moving all configurable options out of the PHP file and into an external storage (INI file, database, xml, anything). Then you can initialize all the variables you read from the external file in your application's bootstrap file
Another option is to modify the PHP configuration file so it reads its information from an easy-to-access format like YAML.
That way the config file could be accessed by just about any language. A good alternative if you don't want yo use a database.