Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I secure a hardcoded login/password in PHP?

Tags:

security

php

passwords

password-protection

login

I'm writing a simple PHP script to access the Foursquare API. The PHP will always access the same Foursquare account. For the time being, I have this login information hardcoded in my script. What is the best way to secure this information?

If I follow the advice from this thread, I should just place the login information in a config file outside the website's root directory: How to secure database passwords in PHP?

Is this the best advice? Or is there a better way to secure the login information?

like image 974
user2393462435 Avatar asked Sep 04 '10 23:09

user2393462435

People also ask

How can I protect my database password in PHP?

password_hash() function provides the facility to securely store the password of the user to the database. Example: First parameter Password will contain the normal password. The second Parameter will contain PASSWORD_BCRYPT to make secure otherwise it contains PASSWORD_DEFAULT as default.

Is it safe to store password in PHP?

PHP provides a native password hashing API that safely handles both hashing and verifying passwords in a secure manner.

What is salt and hashing PHP?

Salting and hashing is a technique to store the password in a database. In cryptography, salting means to add some content along with the password and then hashing it. So salt and hash provide two levels of security.

2 Answers

The best way, of course, would be to not store it at all.

If you can't do that, storing it inside a PHP file (as variables) should ensure it's not going to be sent to the client side. If you're really paranoid about your web server suddenly stopping to interpret PHP, you can put it in a separate file, outside the document root, or where access is denied (through a .htaccess directive, for instance).

like image 132
zneak Avatar answered Oct 04 '22 21:10

zneak

(There are linux-specific details here, so please forgive them if that's not your platform...)

If you're running on apache and have access to the configuration files (which may not be the case with shared hosting), you can put a line like this in your VirtualHost config (or httpd.conf, or other included config file):

SetEnv FOURSQUARE_PW "your password"

Then your php scripts can access it at $_SERVER['FOURSQUARE_PW'].

The advantage here is that you can make that config file readable only by root, since apache will be started as root using init.d.

like image 36
grossvogel Avatar answered Oct 04 '22 22:10

grossvogel
Sign in to Comment

Related questions

How can I create multiple different blocks in one module in Drupal 6?
Create a picture with GD containing other images
PHP Arrays: Pop an array of single-element arrays into one array
Can someone point me to a good PHP/MySQL salted hashed password implementation?
Json_encode Charset problem
What causes SQL Server to return the message 'The statement has been terminated'?
PHP round decimals
list of registered shutdown functions
PHP get line number from logging event
A PHP script to let users download a file from my website without revealing the actual file link in my website?
PHP ZipArchive what do status values mean?
two values for one name in input
Undefined date_diff()
CakePHP - Fatal error: Call to undefined function
Can a MYSQLI connection be reopened WITHOUT instantiating a new object
How should boolean expressions be written in PHP?
PHP array comparison
CakePHP Console on Godaddy Hosting
Get PDO connection ID
php create file with given size

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!