Keeping Credentials Secure in PHP

Chris Cornutt on July 04, 2019

** Previously posted on my site, Websec.io One of the most difficult things in any kind of application (not just web applications) is how to prote... [Read Full]
markdown guide
 

Great post found another version of it from PHP Round Table podcast. Couple questions if you do not mind.

When placing the .env files outside the root of the app and setting open_basedir how can you access those files or do you move them back into the root?

Is there any additional setup to get SetEnv to work. For whatever reason it is setting it in the $_SERVER global but not in the $_ENV.

 

So if you're using the .env files, they just need to be outside of the document root but inside the open_basedir directory/directories.

For example, if your document root is /var/www (for your-site.com) and you have an index.php file in there, having the .env in the same directory would mean they could access your-site.com/.env and access it directly.

The recommendation here is to move the .env someplace PHP can still get to it (defined in open_basedir if set) but not in the publicly accessible location. For example, many PHP applications are following this structure:

/var/www/.env
/var/www/public/index.php

Where the /var/www/public is the DOCUMENT_ROOT but PHP can still reach back up one directory to get the .env.

As far as the other issue ($_SERVER vs $_ENV) I'm not 100% sure why it wouldn't be putting the value in $_ENV but they're going to be the same. I tried doing some research on it and couldn't determine why there might be a difference. It's loading it from the same place though.

 

Thanks for the follow up didn't see the tie between DOCUMENT_ROOT and the public portion that all makes sense now.

I will keep looking into the other problem.

Great content though!

 

I really miss credential managers like Vault from this list. Other than that, itʼs a great overview of how it should and shouldnʼt be done!

 

Hey there Gergely, I actually just posted another "credential security" tutorial that makes use of Vault - enjoy! dev.to/enygma/securing-credentials...

code of conduct - report abuse