How do I secure a hardcoded login/password in PHP?

Question

I'm writing a simple PHP script to access the Foursquare API. The PHP will always access the same Foursquare account. For the time being, I have this login information hardcoded in my script. What is the best way to secure this information?

If I follow the advice from this thread, I should just place the login information in a config file outside the website's root directory: How to secure database passwords in PHP?

Is this the best advice? Or is there a better way to secure the login information?

score 11 · Accepted Answer · answered Sep 04 '10 at 23:56

11

The best way, of course, would be to not store it at all.

If you can't do that, storing it inside a PHP file (as variables) should ensure it's not going to be sent to the client side. If you're really paranoid about your web server suddenly stopping to interpret PHP, you can put it in a separate file, outside the document root, or where access is denied (through a .htaccess directive, for instance).

answered Sep 04 '10 at 23:56

zneak

134,922
42
253
328

2

+1 - Putting it in a file outside the document root is the best idea. – James Black Sep 05 '10 at 00:56

score 4 · Answer 2 · answered Sep 05 '10 at 01:49

4

(There are linux-specific details here, so please forgive them if that's not your platform...)

If you're running on apache and have access to the configuration files (which may not be the case with shared hosting), you can put a line like this in your VirtualHost config (or httpd.conf, or other included config file):

SetEnv FOURSQUARE_PW "your password"

Then your php scripts can access it at $_SERVER['FOURSQUARE_PW'].

The advantage here is that you can make that config file readable only by root, since apache will be started as root using init.d.

answered Sep 05 '10 at 01:49

grossvogel

6,694
1
25
36

I don't see a real advantage here. Who do you want to prevent from reading the file? A malicious PHP script? One of the first thing those do is usually `print_r($_SERVER)` - well, awkward. – Fabian Schmengler Feb 12 '13 at 16:15
I admit it's a small advantage if any, depending on the environment. The web stack is probably the most likely way for the server to be compromised, but there may be others. If an attacker gains access through some other means, they may be able to read but not write the website files... – grossvogel Feb 14 '13 at 18:28

score 0 · Answer 3 · answered Sep 05 '10 at 00:01

storing it in a .php file as a variable outside the root directory in a filename that is not something easily guessed is a reasonable secure way of keeping your credentials safe. But if you can avoid storing it on the server at all then that would be best. Provide a login page to enter that information into upon demand to be used for the session and then discarded once you no longer need it.

How do I secure a hardcoded login/password in PHP?

3 Answers3

Linked

Related