Just starting to learn PHP little by little and immediately got a question, how to secure the config.php file?

At the moment, the file itself looks like this:

<? session_start(); header('Content-Type: text/html; charset=utf-8'); $vk_config['client_id'] = ''; $vk_config['client_secret'] = ''; $vk_config['redirect_uri'] = ''; $vk_config['v'] = ''; ?>

If I need to get data in some place, I connect via include and substitute a variable with the key I need:

 vk_authorize($vk_config['client_id'], $vk_config['redirect_uri'], $vk_config['v']);

Example in function:

 function vk_authorize($client_id, $redirect_uri, $v) { $params = array ( 'client_id' => $client_id, 'redirect_uri' => $redirect_uri, 'display' => 'page', 'scope' => 'email', 'response_type' => 'code', 'v' => $v ); echo '<a class="vk-authorize" href="https://oauth.vk.com/authorize?' . urldecode(http_build_query($params)) . '">Аутентификация</a>'; }

Actually, who can advise from a security point of view?

  • And from what to protect it? Even if a third-party server connects it, it will not receive variables inside. Or if it goes directly to the address on the file, then the attacker will expect disappointment. - Vlad
  • Maksym, I'm not very aware of all the nuances - that's why I asked such a question. - Rodion Polyakov
  • one
    It is worth throwing short tags to avoid problems with migration. Everything else is ok. - Dmitriy Simushev

3 answers 3

If I understand correctly, then the entire contents of the file is displayed in the browser.
In this case, it is not clear what this file should be protected from.

In general, the case is not worth suffering from conspirators, and you don’t need to protect files from anything.

In the advent of experience, there will come an understanding of how to build the architecture of the site, placing all the program files outside the root of the web server. But this is more a matter of architecture than security.

  • one
    What do you mean? Can I read about such an architecture somewhere? - iproger
  • What does the entire contents of the file mean to the browser? It is just not displayed, since it is strictly forbidden to show anyone the protected key. PS Plus in the future there will be a password from the database, which also can not be shown. - Rodion Polyakov
  • Well, he doesn’t show it to anyone, they said about it at the very beginning in the comments - Ipatyev

Take out all your passwords and settings for the public_html folder

    Place the configuration file in the /includes directory and add the .htaccess file with the contents to this directory

     Require all denied

    those. locked access at the server level, in this case for Apache 2.4

    • It'll be enough? - Rodion Polyakov
    • one
      @RodionPolyakov yes, if you directly query the browser for the address example.com/includes/config.php server will generate a 403 Forbidden error, and you can easily include the file using include/require in your scripts. Those. All system files to which you do not want to give access from the outside can be placed in this directory. But, in general, if, when requesting this file from outside, the execution of its code does not lead to any actions, for example, writing data to the database, then you can leave it as is, otherwise anyone can access it and write data to the database. - Plush