my developer delivered code client couple of functions within config.php file.
the customer stated security risk , being non php guy know if knows why is.
what security vulnerable in config.php?
code:
<?php //$config["allowed_ips"] = array("rrrr,tttt,uuuu"); $config["private_key"] = "sssss"; $config["public_key"] = "aaaaa"; $config["db_host"] = "wwwww"; $config["db_name"] = "334455ffff"; $config["db_user"] = "uuuu"; $config["db_pass"] = "uuuu"; //aws access info if (!defined('awsaccesskey')) define('awsaccesskey', 'xxxxx'); if (!defined('awssecretkey')) define('awssecretkey', 'yyyyy'); function uploads3($filepath,$name=""){ $filepath = str_replace("https://s3.amazonaws.com/","",$filepath); $info_path2 = explode("/",$filepath); if (count($info_path2)>1){ $bucket = $info_path2[0]; $object_info = str_replace($bucket."/","",$filepath); if (!class_exists('s3')) require_once('s3.php'); //instantiate class $s3 = new s3(awsaccesskey, awssecretkey); $s3>putbucket($bucket, s3::acl_private); if ($s3>getobject($bucket, $object_info, $name)) { return true; }else{ return false; } } return false; } ?>
putting secrets in file in document root considered bad practice because if server misconfigured , serves .php plain file, or if stacktrace printed including lines in question, leaked secrets. (this happens more think, in server moves , maintenance.)
also, mixing secrets , actual active code in same file above makes difficult manage code , deployment—you may end checking passwords source code repository, no thing.
the usual advice keep secrets such database credentials , api keys in static configuration-only file stored outside web server's document root, , read in php when need it.
Comments
Post a Comment