What is the way to store and read settings?

Asked

Viewed 671 times

8

Imagining that I have a small site, and this site stores and returns information from the database. Currently I see many people storing the data of login for Mysql or paths in PHP variables or define constants. 

<?php
...
$db_host = "localhost";
$db_x = "xxx";
// ou
DEFINE("DB_HOST", "localhost");
...
?>

On the PHP page I read some of the users' contribution notes, and some said that the best way to store settings is in configuration files .ini, in other cases, such as frameworks, store paths and other data in files .json.

If I save settings in one of these files, what guarantee I have that it will be safer, and how I can read these settings securely ?

php security-guard configuration storage
  • 2

    It is recommended to use constants for configuring a PHP project?

  • Thank you, but I’d really like to know what the advantages would be if I were to use each of them, and how best to store and read them.

  • 1

    I do not see a security issue but more a matter of practicality for any changes. Yes in my case I use more for practicality. I believe that this kind of need arose for compiled programs, so there is no need to compile the td program once it changes the database configuration (password, user, server address, etc).

  • @Skywalker thanks for the use example, I found this here

  • Just one detail: there is no unbreakable security, so you will never be guaranteed anything. But it can rely on a risk analysis that will have information about the degree of security in each form of storing settings. The most secure way is still data encryption.

2 answers

6


There is no guarantee, on the contrary, if you do not know what you are doing it is easier to end up doing something less secure this way. Changing the extension or even the internal text format gives no security.

Maybe this idea of storing in a file .ini outside the site access area, in a separate path that the HTTP server does not have access to. But no matter the file extension or format, what matters is whether it is out of public access, but it doesn’t make much difference. On a properly configured and functioning server the security is the same. On a badly configured or compromised server it splintered in both cases. " Guarantee" of security (much between quotes) is to study deeply the functioning of computers, operating systems, servers, languages and other aspects of computing, besides maintaining a commitment to quality at all times.

The best way to access database anonymously is still to keep the configuration in a file .php, as everyone does, as long as everything is set up correctly.

This does not guarantee anything if the server is compromised, but under normal conditions, it is safe.

2

As previously stated by @Maniero, it is recommended that the settings are in script PHP, since the code will only be interpreted by PHP, and you do not run the risk of having your data exposed if someone gets direct access to script.

One that is used by framework Laravel would be as follows:

config/database.php

return array(
       'default' => 'mysql_local',
       'mysql_local' => array(
            'host' => 'localhost',
            'database' => 'sopt'
       )
);

In the configuration call, you can do so:

$config = include 'config/database.php';

$conf_database = $config['mysql_local'];

How did you use the returnin the configuration file database.php, then it was possible to capture this data in a variable, through the include.

Already I answered that here.

Browser other questions tagged php security-guard configuration storage

You are not signed in. Login or sign up in order to post.