Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I secure a hardcoded login/password in PHP?

I'm writing a simple PHP script to access the Foursquare API. The PHP will always access the same Foursquare account. For the time being, I have this login information hardcoded in my script. What is the best way to secure this information?

If I follow the advice from this thread, I should just place the login information in a config file outside the website's root directory: How to secure database passwords in PHP?

Is this the best advice? Or is there a better way to secure the login information?

like image 974
user2393462435 Avatar asked Sep 04 '10 23:09

user2393462435


People also ask

How can I protect my database password in PHP?

password_hash() function provides the facility to securely store the password of the user to the database. Example: First parameter Password will contain the normal password. The second Parameter will contain PASSWORD_BCRYPT to make secure otherwise it contains PASSWORD_DEFAULT as default.

Is it safe to store password in PHP?

PHP provides a native password hashing API that safely handles both hashing and verifying passwords in a secure manner.

What is salt and hashing PHP?

Salting and hashing is a technique to store the password in a database. In cryptography, salting means to add some content along with the password and then hashing it. So salt and hash provide two levels of security.


2 Answers

The best way, of course, would be to not store it at all.

If you can't do that, storing it inside a PHP file (as variables) should ensure it's not going to be sent to the client side. If you're really paranoid about your web server suddenly stopping to interpret PHP, you can put it in a separate file, outside the document root, or where access is denied (through a .htaccess directive, for instance).

like image 132
zneak Avatar answered Oct 04 '22 21:10

zneak


(There are linux-specific details here, so please forgive them if that's not your platform...)

If you're running on apache and have access to the configuration files (which may not be the case with shared hosting), you can put a line like this in your VirtualHost config (or httpd.conf, or other included config file):

SetEnv FOURSQUARE_PW "your password"

Then your php scripts can access it at $_SERVER['FOURSQUARE_PW'].

The advantage here is that you can make that config file readable only by root, since apache will be started as root using init.d.

like image 36
grossvogel Avatar answered Oct 04 '22 22:10

grossvogel