How to pass paypal API credentials SECURELY in with php (and why is this not considered secure)

Question

So obviously the paypal API code is not very easy to read or understand, neither is the documentation which is provided. This guy agrees with me.

If you've spent more than a few minutes in the PayPal documentation, you will know it's easier to manually decrypt a 1024 bit RSA private key than to understand the PayPal Digital Goods with Express Checkout API.

So I finally figured out how to get PHP to communicate with the paypal API through this sample code:

https://ppmts.custhelp.com/app/answers/detail/a_id/945/kw/php

However PayPal completely distances themselves from the samples they provide, they must have an interest in developers spending hours and hours to figure out the system, rather than to just give them code that's easy to implement and start getting paid. I wonder how they got so successful...

As a matter of fact the sample code even says that it's not secure and should not be used for production:

// Set API creds and version greater than 65.1, also set endpoint and redirect url

//**************************************************// 
// This is where you would set your API Credentials // 
// Please note this is not considered "SECURE" this // 
// is an example only. It is NOT Recommended to use // 
// this method in production........................// 
//**************************************************//   

$APIUSERNAME  = "xxxx";   
$APIPASSWORD  = "xxxx";   
$APISIGNATURE = "xxxx";   
$ENDPOINT     = "https://api-3t.sandbox.paypal.com/nvp";  

Essentially what happens is these variables are used to create a string which contains all the information about the purchase as well as the API credentials. The string is made up of each index and value pair and connected with ampersands $req_str = "USER=xxxx&PWD=xxxx"; and so on. This string gets passed to a function PPHttpPost($ENDPOINT, $req_str); . This function uses curl_init(); and related functions to somehow communicates with the paypal server and returns a unique key to identify the transaction and it's values.

I am not exactly sure how this function works but it is listed on the link I provided above under "functions.php".

Two questions:

1.) Why is this not considered secure?

2.) If it's not secure to tell the application about your API credentials by writing them into variables, then what is ?

Answer 1

1.) Why is this not considered secure?

Because the values are written in a plain .php file inside the document root. If due to some misconfiguration your .php file ends up getting served as regular text, or you allowed a stacktrace containing the lines in question to get written, then you just leaked your secrets to all and sundry. This happens more often than you would think.

2.) If it's not secure to tell the application about your API credentials by writing them into variables, then what is ?

You can certainly put them in variables, but it's generally accepted that the way to get the values in there—whether they're database credentials, API keys or other secret values—is to read them in from configuration files which are located outside the document root, where they will never be accidentally served.

PS. their example code also has improper handling of URL-encoding and HTML-encoding, leading to possible XSS. If I were them I'd distance myself from it too!