InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
PHP
Keeping Passwords Out of Your Site Files in PHP
PHP

Keeping Passwords Out of Your Site Files in PHP

InfinityCoder December 20, 2016

You need to use a password to connect to a database, for example. You don’t want to put the password in the PHP files you use on your site in case those files are exposed.

Store the password in an environment variable in a file that the web server loads when starting up. Then, just reference the environment variable in your code:

1
$db = new PDO($dsn, $_SERVER['DB_USER'], $_SERVER['DB_PASSWORD']);

Although this technique removes passwords from the source code of your pages, it makes them available in other places that need to be protected.

Most importantly, make sure that there are no publicly viewable pages that call phpinfo(). Because phpinfo()
displays all of the environment variables, it exposes any passwords you store there.

Also, make sure not to expose the contents of $_SERVER in other ways, such as with the print_r() function.
Next, especially if you are using a shared host, make sure the environment variables are set in such a way that they are only available to your virtual host, not to all users.

With Apache, you can do this by setting the variables in a separate file from the main configuration
file:

1
2
SetEnv DB_USER     "susannah"
SetEnv DB_PASSWORD "y23a!t@ce8"

Inside the <VirtualHost> directive for the site in the main configuration file (httpd.conf), include this separate file as follows:

1
Include "/usr/local/apache/database-passwords"

Make sure that this separate file containing the password (e.g., /usr/local/apache/ database-passwords) is not readable by any user other than the one that controls the appropriate virtual host.

When Apache starts up and is reading in configuration files, it’s usually running as root, so it is able to read the included file.

A child process that handles requests typically runs as an unprivileged user, so rogue scripts cannot read the
protected file.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Generating XML with DOM in PHP
You want to generate XML but want to do it …

Generating XML with DOM in PHP

Appending One Array to Another in PHP
You want to combine two arrays into one. Use array_merge(): …

Appending One Array to Another in PHP

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap