doubledee Posted April 24, 2011 Share Posted April 24, 2011 I am building an e-commerce site and have a security question. My Payment Gateway has given me "Log-In ID" and "Transaction Key" that I use to log in to their server to submit payments. What is a *reasonable* way to protect this information? I have a VPS with root access, although I'm relying on using sFTP and the Plesk Control Panel since I don't know SSH yet. Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it? Would that be secure enough for now? Thanks, Debbie Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/ Share on other sites More sharing options...
ohdang888 Posted April 24, 2011 Share Posted April 24, 2011 Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it? Would that be secure enough for now? In my knowledge, yes, that would be sufficient for most businesses. But i'm interested to see what others have to say about this as well Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205641 Share on other sites More sharing options...
doubledee Posted April 24, 2011 Author Share Posted April 24, 2011 Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it? Would that be secure enough for now? In my knowledge, yes, that would be sufficient for most businesses. But i'm interested to see what others have to say about this as well I realize that I can get into encrypting the values and storing them in a MySQL database, but I'm hoping my suggestion above, is good enough to get started. Debbie Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205644 Share on other sites More sharing options...
Fadion Posted April 24, 2011 Share Posted April 24, 2011 I guess storing them in a PHP file would be enough. Whatever someones does, will only get the file parsed as HTML, so no actual information can be retrieved. If you want to be over-defensive, just place the file outside document root and simply include it. It would be quite impossible for someone to access those data, even more secure than encrypted in a database (sql injections can be found and hashes aren't impossible to "break"). Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205681 Share on other sites More sharing options...
doubledee Posted April 25, 2011 Author Share Posted April 25, 2011 I guess storing them in a PHP file would be enough. Whatever someones does, will only get the file parsed as HTML, so no actual information can be retrieved. If you want to be over-defensive, just place the file outside document root and simply include it. It would be quite impossible for someone to access those data, even more secure than encrypted in a database (sql injections can be found and hashes aren't impossible to "break"). Okay, so can you help me with the code? (I've always been a wimp with arrays?!) Here is my current code with strings hard-coded in the array... // Assign Form Data to Post Array. $post_values = array( "x_login" => "someValue", "x_tran_key" => "anotherValue", What is the most efficient way to get my "Login ID" and "Transaction Key" from a file located out of my Web Root into this array?? In other words, I'm trying to avoid storing it somewhere temporarily that could defeat using my include. Is there a way to include a file with those values but not make it available to the world? Debbie Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205748 Share on other sites More sharing options...
trq Posted April 25, 2011 Share Posted April 25, 2011 Is there a way to include a file with those values but not make it available to the world? As long as the file isn't served as plain text it won't be viewable. Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205749 Share on other sites More sharing options...
doubledee Posted April 25, 2011 Author Share Posted April 25, 2011 Is there a way to include a file with those values but not make it available to the world? As long as the file isn't served as plain text it won't be viewable. A few things... 1.) I know this is probably a super dumb question, but regardless of where the data comes from, how do I convert this code to work with variables?? $post_values = array( "x_login" => "someValue" Do I do this... $post_values = array( "x_login" => "$someVariable" Or this... $post_values = array( "x_login" => $someVariable 2.) So do you agree with the previous advice that it is secure enough for starters to include a PHP file located outside my Web Root that contains my Payment Gateway "Login Id" and "Transaction Key"?? Eventually I'd like to encrypt them and store them in a database, but one step at a time as long as it is reasonably secure. 3.) Does it matter where I store the file outside of my Web Root? (Linux server) Thanks, Debbie Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205755 Share on other sites More sharing options...
trq Posted April 25, 2011 Share Posted April 25, 2011 Variables are not required to be within quotes, so the later example is fine. Also, you could just as easily store this file within your web root, as I said, as long as it's not served as plain text it's contents will not be visible. Of course, it however going to be safer to store it outside your web root in case your server suffers a misconfiguration and starts serving PHP as plain text. Where outside your web root does not matter. Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205757 Share on other sites More sharing options...
doubledee Posted April 25, 2011 Author Share Posted April 25, 2011 Variables are not required to be within quotes, so the later example is fine. Also, you could just as easily store this file within your web root, as I said, as long as it's not served as plain text it's contents will not be visible. Of course, it however going to be safer to store it outside your web root in case your server suffers a misconfiguration and starts serving PHP as plain text. Where outside your web root does not matter. So in my Payment Form I would do something like this... <?php require_once('/var/www/vhosts/MyWebsite.com/SomeOtherDirectory/gateway_config.inc.php'); ?> Debbie Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205762 Share on other sites More sharing options...
trq Posted April 25, 2011 Share Posted April 25, 2011 Yes. Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205769 Share on other sites More sharing options...
doubledee Posted April 25, 2011 Author Share Posted April 25, 2011 Yes. Okay, thanks!! Debbie Quote Link to comment https://forums.phpfreaks.com/topic/234602-securing-server-log-in-info/#findComment-1205771 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.