DiogoNeves DiogoNeves - 1 month ago 15
PHP Question

Storing important secret keys in php files

We're making an app using PHP and using some third party services that require a secret API key.
We have a PHP file that contains all those keys definitions that we then import (using require_once) when needed.

Is this approach safe? Should we store the keys in a different place?

Thank you.

Answer

Something similar was asked today for a shell script. The answer is valid here as well: Make sure you store the file outside the web root, or (if that's not possible) protect it using a .htaccess file.

I also like to unset() any variables containing sensitive data after use, so not even a full variable dump (e.g. in a debug message) later in that script could reveal it.