ini files as config - hidden

--001636ed67762dca5104711d6dad
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

I'm building a little framework for my self,

The configuration of the framework is done in an ini file,

How do you suggest to hide its contents?

..htaccess wont be good (or atleast only htaccess) since if its turned
off....

The file contains mysql password and important data.


How should I make sure the file stays hidden from someone who might tries to
access it?

--
Use ROT26 for best security

--001636ed67762dca5104711d6dad--

Re: ini files as config - hidden

I think a good solution is to put the ini file out of your html folder so
only your scripts can read it.

""????? ????"" escreveu na mensagem
news:907722000908141031v5b020fe0m5a3cc8a9dc19643f@mail.gmail .com...
> I'm building a little framework for my self,
>
> The configuration of the framework is done in an ini file,
>
> How do you suggest to hide its contents?
>
> .htaccess wont be good (or atleast only htaccess) since if its turned
> off....
>
> The file contains mysql password and important data.
>
>
> How should I make sure the file stays hidden from someone who might tries
> to
> access it?
>
> --
> Use ROT26 for best security
>



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: ini files as config - hidden

2009/8/14 Jo=E3o C=E2ndido de Souza Neto :
> I think a good solution is to put the ini file out of your html folder so
> only your scripts can read it.

I agree, and I try to do the same, but I've noticed that most
open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS
Made Simple) have always stored database credentials inside of
DocumentRoot, by default.

Not sure if this is a compromise to allow ease-of-use by
less-technical users, or if my insistence on putting this sort of file
outside of DocumentRoot is just paranoia (and not the good kind).

I'd definitely be interested to hear how others on the list approach
this problem.

And that's only one part of the equation, if you're on a
shared-hosting platform. Are you, or do you have your own server?

Ben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: ini files as config - hidden

--001485e7e4245ba9f904711dde84
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

2009/8/14 Ben Dunlap

> 2009/8/14 Jo=E3o C=E2ndido de Souza Neto :
> > I think a good solution is to put the ini file out of your html folder =
so
> > only your scripts can read it.
>
> I agree, and I try to do the same, but I've noticed that most
> open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS
> Made Simple) have always stored database credentials inside of
> DocumentRoot, by default.
>
> Not sure if this is a compromise to allow ease-of-use by
> less-technical users, or if my insistence on putting this sort of file
> outside of DocumentRoot is just paranoia (and not the good kind).
>
> I'd definitely be interested to hear how others on the list approach
> this problem.
>
> And that's only one part of the equation, if you're on a
> shared-hosting platform. Are you, or do you have your own server?
>
> Ben
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
A workaround to this is to simple let the browser get the ini as a php file=
..
What? are you insane? no. it is really easy.

1) Name your ini files .php so, database.ini will be database.php
2) Put in the top of your script this line

;

So, when the file is opened as an ini file the semilcolon indicates that
it's a comment.
But, when the browser call for this file... php just exit's in the first
line.

Our data will be safe as long as the first line will remains there.

--=20
Martin Scotta

--001485e7e4245ba9f904711dde84--

Re: Re: ini files as config - hidden

A long time ago I worked in many shared servers, nowadays I´m not working
with web sites, only systems, so my customers always has their own server.

The question is:

1) The ini file you mentioned has ini extension?
if yes, it must be out of the document root because if someone types its
url, the browser will certainly show up its content.
2) Has it php extension?
if yes, it can be inside the documento root because if someone types its
url, PHP will show up only the result of its code..


"Ben Dunlap" escreveu na mensagem
news:7997e80e0908141056i483f4e2h7dffe0c83b90d602@mail.gmail. com...
2009/8/14 João Cândido de Souza Neto :
> I think a good solution is to put the ini file out of your html folder so
> only your scripts can read it.

I agree, and I try to do the same, but I've noticed that most
open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS
Made Simple) have always stored database credentials inside of
DocumentRoot, by default.

Not sure if this is a compromise to allow ease-of-use by
less-technical users, or if my insistence on putting this sort of file
outside of DocumentRoot is just paranoia (and not the good kind).

I'd definitely be interested to hear how others on the list approach
this problem.

And that's only one part of the equation, if you're on a
shared-hosting platform. Are you, or do you have your own server?

Ben



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: ini files as config - hidden

It´s a cool solution as well.

"Martin Scotta" escreveu na mensagem
news:6445d94e0908141103l6710c766wcc89f05111a653cb@mail.gmail .com...
2009/8/14 Ben Dunlap

> 2009/8/14 João Cândido de Souza Neto :
> > I think a good solution is to put the ini file out of your html folder
> > so
> > only your scripts can read it.
>
> I agree, and I try to do the same, but I've noticed that most
> open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS
> Made Simple) have always stored database credentials inside of
> DocumentRoot, by default.
>
> Not sure if this is a compromise to allow ease-of-use by
> less-technical users, or if my insistence on putting this sort of file
> outside of DocumentRoot is just paranoia (and not the good kind).
>
> I'd definitely be interested to hear how others on the list approach
> this problem.
>
> And that's only one part of the equation, if you're on a
> shared-hosting platform. Are you, or do you have your own server?
>
> Ben
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
A workaround to this is to simple let the browser get the ini as a php file.
What? are you insane? no. it is really easy.

1) Name your ini files .php so, database.ini will be database.php
2) Put in the top of your script this line

;

So, when the file is opened as an ini file the semilcolon indicates that
it's a comment.
But, when the browser call for this file... php just exit's in the first
line.

Our data will be safe as long as the first line will remains there.

--
Martin Scotta



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: ini files as config - hidden

> 1) Name your ini files .php so, database.ini will be database.php

Actually I was assuming the configuration file to be a PHP script --
as is typical in big open-source CMSes. I took "ini file" earlier in
the thread to be a generic description of any file, whatever the
extension, that contains sensitive configuration data.

> Our data will be safe as long as the first line will remains there.

And as long as the file is actually handed off to PHP for processing.
Seems like there are plenty of situations, none of them too
far-fetched, that could cause the web server to mistakenly serve a
file with ".php" in its name as a generic text file rather than
handling it correctly. I'd rather just have the file outside of
DocumentRoot and avoid that risk entirely. But again, maybe that's
just unproductive paranoia?

Ben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: ini files as config - hidden

On Fri, 2009-08-14 at 15:03 -0300, Martin Scotta wrote:
> 2009/8/14 Ben Dunlap
>=20
> > 2009/8/14 João Cândido de Souza Neto r>:
> > > I think a good solution is to put the ini file out of your html folde=
r so
> > > only your scripts can read it.
> >
> > I agree, and I try to do the same, but I've noticed that most
> > open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS
> > Made Simple) have always stored database credentials inside of
> > DocumentRoot, by default.
> >
> > Not sure if this is a compromise to allow ease-of-use by
> > less-technical users, or if my insistence on putting this sort of file
> > outside of DocumentRoot is just paranoia (and not the good kind).
> >
> > I'd definitely be interested to hear how others on the list approach
> > this problem.
> >
> > And that's only one part of the equation, if you're on a
> > shared-hosting platform. Are you, or do you have your own server?
> >
> > Ben
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> A workaround to this is to simple let the browser get the ini as a php fi=
le.
> What? are you insane? no. it is really easy.
>=20
> 1) Name your ini files .php so, database.ini will be database.php
> 2) Put in the top of your script this line
>=20
> ;
>=20
> So, when the file is opened as an ini file the semilcolon indicates that
> it's a comment.
> But, when the browser call for this file... php just exit's in the first
> line.
>=20
> Our data will be safe as long as the first line will remains there.
>=20

Silly idea. If you want to read in the ini file via PHP to get the
values out, why don't you just have them as PHP vars? There's extra
overhead involved in processing the ini, which is a big bad idea if the
ini is used to hold database details, as not only does the database
connection take time, but you've increased the time needed to access the
connection details! Way to go!

Thanks,
Ash
http://www.ashleysheridan.co.uk


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: ini files as config - hidden

On Friday 14 August 2009 08:31:46 pm דניאל ד=
נון wrote:
> I'm building a little framework for my self,
>
> The configuration of the framework is done in an ini file,
>
> How do you suggest to hide its contents?
>
> .htaccess wont be good (or atleast only htaccess) since if its turned
> off....
>
> The file contains mysql password and important data.
>
>
> How should I make sure the file stays hidden from someone who might tries
> to access it?

Hello there,

1-) You have to parse ini file in each execution. It was negative for=20
performance. I suggest use plain php array

2-) To hide your config put it in out of html document root.

define('ROOTDIR', dirname(__FILE__).'/');
define("CONFDIR",ROOTDIR.'../config/');

require(CONFDIR.'config.php');

Regards

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php