Reputation: 10659
What are the security implications of having your root path seen?
Up until now, I have been storing the root path of my site on my server in an .ini file outside of the public_html directory:
[settings]
home_url = 'http://www.example.com'
root_path = '/home/this/that/public_html'
And using by:
function parse_ini() {
$root = dirname(__FILE__);
return parse_ini_file($root.'/../../config.ini', true);
} // End parse_ini
function do_something() {
$ini = parse_ini(); // I now have $ini['settings']['root_path']
}
I feel good about this because the .ini file itself is not publicly accessible, and the only time I parse the file is within a function, so the scope of the data within the file is very limited. This is important as it contains my database credentials.
I am trying to get away from using the .ini file as much as possible, mainly due to the overhead of parsing the file several times per page load (since it's scope is always within a function).
What security implications might I face by putting the root path in a constant with a global scope?
define('ROOT_PATH', '/home/this/that/public_html');
I'm thinking of having only the database credentials in the .ini file, and moving everything else out of it. The only thing I haven't found a good place for yet is the root path on the server, and I am a little worried about any possible holes this would open up should someone come across it.
Upvotes: 0
Views: 75
Answers (1)
Reputation: 14860
First thing's first: Your ini file is "not publicly accessible" - Does that mean it can't be easily found because no one knows the directory? If so, that would be security through obscurity. Otherwise you can protect it using an .htaccess file easily.
If you want to store credentials on the other hand, you should definitely put them in a PHP file. This is the canonical way, because there is no way the content of a PHP file can be read, unless you uninstall PHP from your server. It's also parsed more efficiently.
INI files on the other hand could potentially be read, if other vulnerabilities are present. Never poke too many holes into your security, or eventually it's breached!
TL;DR: Exposing the path is not a problem. If you rent a cheap webhosting package, you can also see the path, which is no vulnerability to the webhoster, so you can figure out, it's also not one for you!
Upvotes: 1
Related Questions
- What are the differences in die() and exit() in PHP?
- Get the root folder path in php using include
- In cPanel, can you get modifications to MultiPHP INI Editor to apply to all subfolders?
- CKEditor integration with Wiris PHP plugin: open_basedir restriction
- REST API not working in addon domain
- Deploy Symfony2 settings
- htaccess redirect root to subdirectory but allow index.php in root to function
- what is your method of directories with in a root