Reputation: 145
Safely storing PHP variable values
At the moment I have two files in a folder on my webserver, one is called password.php. The file contains one line:
<?php $password = 'my_password' ?>
The other php file contains script that I only want to execute if the correct password parameter is posted to the page. I have it set up like this
<?php require 'password.php';
if (isset($_POST["Password"]) & $_POST["Password"] == $password){
//Execute code...
}
else {
echo "Error";
}
?>
Now my question is if this a secure way of ensuring unwanted people cannot execute the script on the page by manually posting info to it? I was told that if the scripting processor became disabled the server could send the raw script back to the server. Does that mean people could purposely disable the processor on www.mysite.com/directory/password.php and see the value of the $password variable?
I was told to: "place password.php it in a separate file and store it in a directory located above the www directory. Then it would only be accessible via the local file system and not via HTTP from the outside world."
What exactly is meant by the above suggestion? Should I be doing anything to make the password more secure?
Upvotes: 0
Views: 257
Answers (3)
Reputation: 3692
To answer your question, what you were told was to place it outside of the web-accessible space. This means that if your web server has a document root set at /var/www/site, then you should store it outside of that directory, perhaps in /var/www/data, because the latter directory cannot possibly be accessed by a remote HTTP client.
A couple of suggestions:
The password should not be stored in plain text. It should be stored as a hash. Maybe something like this:
<?php $password = some-hash; ?>
Where "some-hash" is a hash of the actual password generated using crypt(), like crypt("password").
Then your check code would look like this:
<?php require '../password.php';
if (isset($_POST["Password"]) && crypt($_POST["Password"]) == $password) {
//Execute code...
} else {
echo "Error";
}
?>
The above is just an example.. check the PHP manual for the crypt() function for more information on how to use this for best security.
For security purposes, the type of storage (PHP file, database, etc) doesn't really matter. What matters is that the password is not accessible by a browser, and that it is not stored in clear-text.
Upvotes: 2
Reputation: 2541
How does the folder structure look when you connect to your hosting provider with ftp (or whichever protocol you use to transfer files)? Normally you would have something like
/yourUserName/public
or
/yourUserName/public_html
where you upload all your files that should be available at yourdomain.com. You could place config files (pretty much all server side files actually) outside of the public dir. That means if I go to yourdomain.com/config.php, it's not there.
I usually place my entire app outside the public dir, so it looks something like this
/userName/app
controllers
models
templates
views
config.php
router.php
/userName/public
css
js
index.php
Then I usually do something like this in index.php: require '../app/config.php';
Upvotes: 0
Reputation: 1622
Perhaps not a useful answer but a good tip: never ever ever ever use a hardcoded php variable to store a password. Use htpasswd, above the web directory or store the password in a database hashed at bear minimum.
Upvotes: 0
Related Questions
- How to safely store a password inside PHP code?
- Storing important secret keys in php files
- Storing a password in a PHP script
- Potential security issues with variable variables
- PHP Storing password the good way
- permanent storage of PHP variables?
- Storing sensitive data in PHP
- secure php variable before insert it to database
- Best practices to store login Information
- Saving variables (not sessions)