如何使用户/密码在php脚本中安全？

Question

My application is a website for online purchase. I (php server) will collect client's requests and send them to the processing gateway. The gateway cannot directly talk to the clients, and it requires my authentication details to have communication with me. Because clients need to get immediate response from the gateway while online, so I have to put my authentication details in my server-side php script. I know that's not safe. So how can I make it secure?

Thanks!

Answer 1

Since your script has to be able to get your username/password for the payment gateway, regardless of how "securely" you store them, at some point they'll be exposed in raw unencrypted form, even if only in memory.

The problem boils down to how much time and effort you want to spend "securing" the user/pass, vs. how much it'd cost you to clean up after a compromise. Let's say you spend $2000 in time/effort securing your site. The effort pays off an no one breaks in. However, it would only have cost you $100 in fines after a break in, so you've got a net loss of $1900.

Answer 2

A basic way to do this is put the auth details into a file maybe init.inc and place this file outside of the web root. So you might have

 - \site_directory\ 
      - \secure_include\
           - init.inc
      - \siteroot\
           - \css\
           - \includes\
           - \images\
           - login.php

This way at the very least if anything goes wrong with apache + php parser the plain text files will not be viewable in a web browser.