No need for all the dots and extra quotes (in fact when php parses a double-quoted string containing a variable, it produces the exact same tokenized byte-code as if you had used concatenation) -
Hi guys
Well, the thing is I am trying to set some parameters that are stored and influence operation of a larger php script. However I cannot use a database in this instance. Also the settings will change depending on exactly how the script is used. I could use a config.php file but this requires the user to start editing files. In this way I can have a fixed config.php file and a settings.php created based on input that I can include when needed. No database, no sessions, and peferences are stored… It actually works very well for what I need.
In that case I’d still opt for some other format, like ini or even something like yaml to write and then read back and interpret, rather than write some file that will be executed. shudders
Hi, can you explain the ‘shudders’ I mean congig.php gets executed as do all includes. Eventually some code will have to be executed to set variables based on the options stored. Not being argumentative but maybe I am being naive. How a would a .ini file work? Would it be secure? Do I just replace .php with.ini?
I chose a PHP file because even if it does execute someone cannot just click on it and view contents or download it. I mead config.php is often used to store sensitive info such as database connection parameters, it basically executes when called and seems to be accepted as secure.
As I say, not arguing just genuinely learning and open to all advice thank you.
Well, all included files are indeed executable, but most of them are not written by a machine.
For example, what happens if someone enters '; die('Nope')'; as one of the credentials, then the entire site will be down. It probably will never happen, but just the idea that it might is bad enough.
An ini file would like this for example
[database]
username = foo
password = bar
database = baz
The main advantage is that it treats data as data, it will never be executed. So even if you try to hack it like above that won’t work.
As for people downloading it, put it in a directory “above” your index.php or in a directory that is protected against downloads with an .htaccess file.
Well I don’t think I am naive but I am certainly less experienced than you. Now I am worried about security on a whole new level, I thought using POST and if (isset()) then sanitizing any input was pretty much secure. So as well as preventing SQL injection with prepared statements, sanutizing POST inputs, htmlspecialchars() and brute force attacks, I also have to prevent people submitting data to an app without even using a form!
Is there anywhere an example of a script that is actually secure to use as a basis or template
It seems nowadays with PHP 75% of coding is blocking security holes.
Can you please explain how this could be done so I can attempt to prevent it please ?