In PHP we can use files to store sensitive data, but those files must have certain levels of protection.
Let's take the example of a file that stores our database connection credentials.
To save this important information I have created a file db.php.ini
that contains the following:
<?php return; ?>
; credenciales
host=localhost
usuario=elusuariodeladb
clave="laclave"
dbnombre=elnombredeladb
This file applies several levels of security:
- It is in a folder outside of root or
public_html
, so it cannot be accessed through the browser - It's in a hidden folder
.credenciales
- It has this at the beginning
<?php return; ?>
so that if by any chance it is accessed by URL it will not display anything.
Reading that file, when connecting to the database, is done like this:
private function Connect()
{
/* Leer credenciales desde el archivo ini */
$this->credenciales = parse_ini_file(".credentials/db.php.ini");
$dsn = 'mysql:dbname=' . $this->credenciales["dbnombre"] .
';host=' . $this->credenciales["host"] . '';
$pwd = $this->credenciales["clave"];
$usr = $this->credenciales["usuario"];
// ... más código
}
The question
Are there other measures that could be taken to make this file more secure? What would those measures be?
When working with sensitive files (credentials, configuration files, database connections) on a web server, it is recommended that they always be located outside the public directory, so that they cannot be accessed directly.
But is it enough to put the files in a non-public directory?
Obviously not, we must take into account some recommendations to limit access to these files by other means.
This does not guarantee us 100% security since a server can be compromised due to other factors.
Thank you very much friend. a great contribution I did not know and I sincerely thank you. But I realized that the file extension is ini when it should be php, I tell you, because I tested it and it showed the data because it doesn't resolve the php instruction and it's obvious. So I reverted the extension and this is db.ini.php and that's it. By saying that it works for you, I deduce that it works at the system level (parsing) but not when viewing it in the url. But do not give him anything because look how many years and your contribution is still very useful.
Cheers