How secure is storing DB variables with SetEnv or in php.ini?

Question

I don\'t like storing sitewide crypto keys and DB access information under document_root, so I was using Apache\'s SetEnv and php.ini files under conf.d to separate these fr

Answer 1

As long as *.ini and SetEnv are outside of the web root (document root) it doesn't matter either way. Just choose whichever you prefer. I like SetEnv, but it's really just personal preference. It makes more sense to me to use SetEnv since the variables are put into _SERVER. With the .ini, I think it makes more sense to leave it for initialization settings specific to how the code works.

Not storing under the document root is a good idea to prevent access to possibly secure data.

Note that phpinfo() will list any server variables that are set, so be very careful about that.

Finally, if you are including files, make sure that you don't allow gratuitous ../../ set by the user somehow or they will have access to potentially secure files (even including /etc/passwd!)

I think your main question is "how secure." Well, this probably about as secure as you can get without causing major headaches. The php code has access to these variables, so if you print them out they are easily visible, so it depends on how secure your code base is. It might be possible to use LDAP with MySQL, but that sounds like a huge pain.