PHP: Storing sensitive informations inside .ini file is good or bad approach?
I'm confused about something and need some explanations.
In my practice I normaly see that 90% of PHP developers all sensitive informations like database connections, FTP, SMTP setup etc. store inside some variable, array, objects or constants.
I wonder now is better to use some ini file out of rootand store there? Or is better to hide somewhere .ini file and denay access via .htaccess?
Generaly, I want to save that sensitive data on most secure way.
There is no perfectly safe choice, but some are better than others.
Don't save sensitive information in your project's source code -- you don't want your passwords and API keys on github.
Saving sensitive information in a database is fine, but then you still need somewhere to store the database credentials, and you're right back where you started.
You can save sensitive information in environment variables. These would usually be set up in your web server's configuration file(s).
Saving sensitive information in an ini file is fine, provided the following:
- The file has the minimal permissions required.
- The file is completely outside the web server's document root and thus can't ever be served directly. Don't put the file in your main directory and then use .htaccess to deny access to it.
- The file is not committed to source control. If you're using git, edit your .gitignore so that the file is ignored.
These should also go without saying:
- The user account running the web server process should never have write permission to the files it's serving.
- Other non-privileged users on the machine running the web server process should not have read access to the files it's serving.