Best practice to hide/secure the php-engine config file?

Question

I just got a task to work on an old-styled-developed webpage.

It means, the common used variables / constants and variables of database connection are in the viewing php-engine, not in a separated file. :-(

I thought I will put them into a config.php or config.inc file, and just using with require_once('/path/filename'); in the engine.

My problem is , that I am not familiar with the securing, so I thought, I change the privileges (maybe 755?).

Is there anything else I could do?

Answer 1

if you name your config file as whatever.php and it only has constants or vars definition (or even more code) and you include_once it, this has no security issues. Wordpress uses this approach

Answer 2

The file permissions need to remain. But you can indeed make the script itself inaccessible via:

<Files config.php>
    Order Deny
    Deny From All
</Files>

But that's just a superficial precaution. If you name that script "config.php" it is not web-accessible anyway.

If you are on shared hosting, there is nothing you can do to prevent snooping from other accounts. This requires a server setup with suphp/suexec for restricting file system access to other users.

Answer 3

Move the config file outside the public folder so it cannot be accessed via URL. Otherwise, a misconfiguration in your webserver might send the file unparsed (someone might forget to tell the webserver that .inc files should be run through php. I never name them .inc for that reason. Always .php). It's rare but I had this happen at least two times on sites I visited and they had credentials in their files, too.