How do I store and read settings?

8

Imagining that I have a small site, and this site stores and returns information from the database. I currently see a lot of people storing the login data for MySQL or paths in PHP variables or defines constants.

<?php
...
$db_host = "localhost";
$db_x = "xxx";
// ou
DEFINE("DB_HOST", "localhost");
...
?>

On the PHP page I read some of the user contribution notes, and some said that the best way to store settings is in .ini configuration files, in other cases, such as frameworks in>, store paths and other data in .json files.

If I save settings to one of these files, what warranty do I have that will be more secure, and how can I safely read these settings?

    
asked by anonymous 30.11.2015 / 15:39

2 answers

6

You have no warranty. On the contrary, if you do not know what you are doing, it is easier to end up doing something less secure in this way. Changing the extension or even the formatting of the internal text does not give any security.

Perhaps this idea of storing a .ini is to store the file outside the access area of the site, on a separate path that the HTTP server does not have access to. But no matter the file format or extension, what matters is whether it is out of public access. But it does not make much difference. In a server configured and working correctly the security is the same. On a misconfigured or compromised server, it splintered in both cases. Security "security" (much in quotes) is a deep study of the operation of computers, operating systems, servers, languages and other aspects of computing, and maintain a commitment to quality at all times.

The best way to access the database anonymously is still to keep the configuration in a .php file, as everyone else does. As long as everything is set up correctly.

This does not guarantee anything if the server is compromised, but under normal conditions, it is safe.

    
30.11.2015 / 15:54
2

As previously mentioned by @bigown, it is recommended that the settings be in a PHP script, since the code will only be interpreted by php, and you do not run the risk of having your data exposed if someone gains direct access to the script.

One that is used by the Laravel framework would be as follows:

config / database.php

return array(
       'default' => 'mysql_local',
       'mysql_local' => array(
            'host' => 'localhost',
            'database' => 'sopt'
       )
);

In the configuration call, you can do this:

$config = include 'config/database.php';

$conf_database = $config['mysql_local'];

Since you used return in the database.php configuration file, you could then capture this data in a variable, using include .

I've already answered it here:

link

    
01.12.2015 / 12:39