What is the security issue of having functional code in config.php
Question
My developer delivered code to a client with a couple of functions within the config.php file.
The customer stated that this is a security risk and being a non php guy would like to know if anyone knows why this is.
What are the security vulnerable in config.php ?
Code:
<?php
//$config["ALLOWED_IPS"] = Array("rrrr,tttt,uuuu");
$config["PRIVATE_KEY"] = "sssss";
$config["PUBLIC_KEY"] = "aaaaa";
$config["DB_HOST"] = "wwwww";
$config["DB_NAME"] = "334455ffff";
$config["DB_USER"] = "uuuu";
$config["DB_PASS"] = "uuuu";
//AWS access info
if (!defined('awsAccessKey')) define('awsAccessKey', 'xxxxx');
if (!defined('awsSecretKey')) define('awsSecretKey', 'yyyyy');
function uploadS3($FilePath,$name=""){
$FilePath = str_replace("https://s3.amazonaws.com/","",$FilePath);
$info_path2 = explode("/",$FilePath);
if (count($info_path2)>1){
$Bucket = $info_path2[0];
$Object_info = str_replace($Bucket."/","",$FilePath);
if (!class_exists('S3')) require_once('S3.php');
//instantiate the class
$s3 = new S3(awsAccessKey, awsSecretKey);
$s3>putBucket($Bucket, S3::ACL_PRIVATE);
if ($s3>getObject($Bucket, $Object_info, $name)) {
return true;
}else{
return false;
}
}
return false;
}
?>
2 answers
solution1
1
If the configuration values are stored in variables that are located within an extendable class, conceivably they could be overwritten from anywhere else within the code that can instantiate that class. Depending on exactly how you're managing or exposing your code this could be categorised as a security issue.
Here's more to get you started on how overriding variables could be possible: Why is it possible to override instance variables in PHP but not in Java?
solution2
1 ACCPTED 2013-07-11 21:34:57
Putting secrets in a file in the document root is considered a bad practice because if the server is misconfigured and serves the .php as a plain file, or if a stacktrace is printed including the lines in question, you just leaked your secrets. (This happens more than you would think, especially in server moves and maintenance.)
Also, mixing up secrets and actual active code in the same file as above makes it difficult to manage your code and deployment—you may end up checking passwords into a source code repository, which is no good thing.
The usual advice is to keep secrets such as database credentials and API keys in a static configuration-only file stored outside the web server's document root, and read it in from PHP when you need it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.