Since most of our script are simple, and only 1 administrator to login to the admin panel, so we stored the admin login username and password in config.php, and also the server/database connect information, paypal account, etc in config.php. So my question is: Is it safe to store such information in config.php? Can others use fopen ("http://www.yourdomain.com/config.php","r") to read the config.php file? And also can others edit this file?
http://forums.digitalpoint.com/includes/config.php ^^ Seems pretty safe to me. If you don't tell the code to output anything, you'll just get a blank page. (Unless there's something outside the <?php tags, OR the file is on the same host)
nico's correct, as long as it doesn't output any text and is a php file with all the code between <?Php ?> There's no way to grab the source code of a PHP file unless somebody has access to FTP or SSH. If somebody opens the file in php using fopen or in perl using LWP they will only get the output of the file, not the source.
My only input is to make sure *not* to name it config.inc, because many web hosts are set up to serve .inc files as text, so people could potentially see your code.
There are a few things to consider and they depend on how much control you have over the server. If you know that PHP files will always be associated with the PHP executable, then you have no direct problem with external security (meaning any HTTP requests for the file will return only what you echo). If they are ever disassociated, the files will be sent as plain text. If other people can log into the server, you need to make sure they do not have read permission or they can read it like a regular text file, even if it is in your user directory. Read about CHMOD for more info. Of course, your information is only as secure as the least secure method of accessing it. If you have people logging into the server with FTP, you're pretty much broadcasting the password to any servers between your computer and the end server.
Well, you have to considerer that hackers have a large amount of resources to discover what is hidden in a page. Injection is one of them, and if your code is not absolutely bulletproof with client side and server side validation sets, you may get surprises. However it is rather safe to consider that a server defined variable in php will never be displayed locally, it is recommended to save your password into encrypted fields in databases.
Nico is right, there is little danger in storing a config file in a public directory as long as you are a little careful. Most config files just round up some variables and the most output you will receive is a mysql error. If you are really concerned about this either A> drop an .htaccess password on your includes folder. php can access it locally but if you give a direct request, the id/pw must me correct. B> move your includes folder outside of the public_html folder and put it in your root folder. For example instead of /home/sitename/public_html/includes/config.php make the location /home/sitename/includes/config.php. Again your PHP code can access it but it will be totally unavailable to the internet. FTP cracking by packet sniffing can still bring this down. Keep your passwords safe people!!!