pixsector Posted November 27, 2023 Share Posted November 27, 2023 Hi, - someone coded for me a simple PHP application. The database name and password are in the db.env file. Is it more or less secure? - db.env file is blocked in Htaccess. The second image shows the error when you go to this file. - the app has 1 input field (text+numbers only) for adding a nicknames - Is it possible to somewhat improve this app against malware attacks without major changes? Quote Link to comment https://forums.phpfreaks.com/topic/317484-simple-php-app-advice-regarding-security/ Share on other sites More sharing options...
Strider64 Posted November 27, 2023 Share Posted November 27, 2023 I personally find it better to have the configuration file outside the root directory require_once __DIR__ . '/../config/config.php'; // Goes one up from the root / directory Quote Link to comment https://forums.phpfreaks.com/topic/317484-simple-php-app-advice-regarding-security/#findComment-1613152 Share on other sites More sharing options...
gizmola Posted November 27, 2023 Share Posted November 27, 2023 Using .env files is best practice, but probably not for the reasons you think. The main reason for those, is that previously people had a bad practice of actually putting credentials into files, and then they would get stored in source code repositories. What I would do with your project is to move all the files that can be directly called or referenced from "web space" ie. within or below the "web root" directory for the web server. What I'm going to describe to you is what pretty much all web projects do these days. So what I would do here, is create a public folder in your project. I would then move all the web directories (css, img, js) into it, as well as index.html, leaderboardtable.php and word-comparison.php into that directory. The .htaccess should also be in /public Note that these changes will break the application, and you will need corresponding changes, including regeneration of the autoload file with composer (assuming that is being used). The web configuration should then set the webroot to this projectname/public directory. At that point, you should notice what is no longer in web space: any project files the .env file dot files in the root the /vendor directory Depending on your web stack, there are additional tweaks you can make that might have some additional security benefits, if for example you are using fcgi/php-fpm or nginx with those etc. In those cases, you can utilize separate users for the php code and the web server, but at very least, moving anything out of "web space" means that you no longer have to try and knock down holes in a .htaccess, as users will only be able to directly reference the things you want them to, and there is no way they will be able to explore web space with the web browser, and potentially access a file that is used in your project. Quote Link to comment https://forums.phpfreaks.com/topic/317484-simple-php-app-advice-regarding-security/#findComment-1613153 Share on other sites More sharing options...
pixsector Posted November 27, 2023 Author Share Posted November 27, 2023 Thank you very much for your advice. I will try to make these changes. Quote Link to comment https://forums.phpfreaks.com/topic/317484-simple-php-app-advice-regarding-security/#findComment-1613157 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.