Where should I place sensitive files so that they are read-able by PHP scripts? Where should I place sensitive files so that they are read-able by PHP scripts? apache apache

Where should I place sensitive files so that they are read-able by PHP scripts?


php apache security web

It's a good practice store sensitive data outside apache document root.

You need to allow PHP to access these folders adding or modifying the Virtual Host configuration.

Look for php_value open_basedir

and add your folders separated by a colon (:)

More info at open_basedir

Note: there is a few security issues with open_basedir, explained in

http://www.hardened-php.net/advisory_012004.42.html

EDIT:

I use this tree structure for each domain:

domain/            www-data permisions├── etc            r-x├── log            rwx├── phpCache       rwx├── phpFiler       rwx├── phpInclude     r-x├── phpLogs        rwx├── phpSession     rwx├── phpTmp         rwx├── phpTrash       rwx├── privat         --- ├── www443         r-x└── www80          r-x

etc: for application configuration files.

log: for Apache or nginx log files

phpCache: for Zend_Cache files

phpFiler: for app's files, a PHP script serves it if the user has privileges.

phpInclude: php_value include_path

phpLogs: for application logs

phpSessions: for store this virtual host data sessions.

phpTmp: for temporal files, like uploaded.

phpTrash: a trash for phpFiler.

privat: for my private pourposes

www443: for https document root

www80: for http document root

In open_basedir clausule I put all folders except log and privat.

php apache security web

This means, that the so-called safe-mode is in affect, which does not allow any opening of file and directories outside a given directory (e.g. your specific webroot). This is very common on shared hosters and if you do not have access to the php.ini, you are out of luck and cannot access your files in ../private.

To access protected files, add a directory below your usual httpdocs-directory (e.g. private) and add a .htaccess-file inside with the content

order allowdeny deny from all

This will prevent anyone accessing the files without going through your php-script.

On a last note: if your php-file has been right under the httpdocs-directory, your script needs to point to ../private/test-dt.txt and not to ../../private/test-dt.txt.

php apache security web

Place them above the root folder. The PHP scripts will still be able to access them, but if the website is compromised then directories above the root should remain secure.

So put them somewhere like /var/www/vhosts/sensitive-docs/ and set permissions on the directory so that PHP can read the files.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last