Reputation: 7437
PHP security: include and config.ini
I'm hosting a file "getBio.php" that can be accessed directly:
http://www.example.com/getBio.php
I'm wondering if there is any difference in security effectiveness between:
A)
<?php
$config = parse_ini_file('../secretstuff/config.ini');
include '../secretstuff/getBio_B.php';
?>
B)
<?php
include '../secretstuff/getBio_B.php';
?>
Where the line:
$config = parse_ini_file('../secretstuff/config.ini');
is moved into the external file, getBio_B.php.
Thanks for any help, Adam.
Upvotes: 0
Views: 144
Answers (1)
Reputation: 1236
I don't know your purpose, but I think if you can ensure the origin of config.ini and getBio_B.php(usually files in your project), they are same.
If you just want to load some config items, use parse_ini_file is safer than include, because include function will load and execute loaded file's code,
it means whatever php code in loaded file the include function will execute it,
but use parse_ini_file to load some config, the structure of the ini file must have same structure as the php.ini's.
That's why evidently use config.ini having more security than include php file.
Upvotes: 2
Related Questions
- How can I prevent SQL injection in PHP?
- How do you parse and process HTML/XML in PHP?
- Difference between require, include, require_once and include_once?
- Deleting an element from an array in PHP
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- startsWith() and endsWith() functions in PHP
- Secure hash and salt for PHP passwords
- How does PHP 'foreach' actually work?
- Why shouldn't I use mysql_* functions in PHP?
- How should I ethically approach user password storage for later plaintext retrieval?