I am storing my mysql connection data and other sensitive information in a config file, however I detected an issue that anyone can access that file and view the contents of that file but I don't want to let anyone do that without appropriate permission.

I can encode the content of the config file but how will PHP decode that and get the original value?

Can anyone give me a solution.

Recommended Answers

All 4 Replies

if you are on a linux system, you can define the permission for the file as 4-0-0 which only lets the system read the file. Some hosts don't allow 4-0-0 so give it the lowest possible permission. If you are under Windows, there must be an equivalent.

commented: Thanks for the hint +2

How will I code it in such a way so that it works in any system?

Together with chrishea suggestion use .htaccess:

order allow,deny
deny from all

Save this in the same directory that contains mysql connection data. This will avoid direct access through the browser.

On Windows you can use cacls, it's a command line tool: http://technet.microsoft.com/en-us/library/bb490872.aspx

Configuration php files for your web application must be located outside from web server root domain directory.

Most common directory structure:
/var/domain.com/www - ftp and web server root directory, visible from server-side and client-side(browser), index.php is here
/var/domain.com/include - ftp directory, visible only from server-side, config.php is here

In index.php write:

require_once '/var/domain.com/include/config.php';
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.