Using PHP to protect an XML config file with .htaccess

Hi Everyone,

Looking for some viewpoints here. I currently have a .xml file that I'm using to hold configuration data, some of which is sensitive (database password and username for example). Currently I've made it inaccessible through htaccess, which in theory should be sufficient?

If the script was ever to either come under attack or be distributed where people might for whatever reason break or delete the htaccess protection I had attempted to make it 'self repairing' - ie the index.php file checks to see if the .htaccess both exists and matches the MD5 hash which it should be and if not re-writes itself to the correct value. This has hit a stone-wall though, as both fopen() and rename() return 'Permission Denied' when attempting to open a . (hidden) file. I can't think of any way round this - any suggestions?

Even if we were to get that mechanism working properly as above, if an attacker was able to delete or change the .htaccess file then they could read the xml config file as long as index.php wasn't accessed beforehand (which would repair the .htaccess).

So I'm wondering if some sort of redundant encryption on sensitive fields is a good idea? A thought I have just had is perhaps storing the XML value as a reference to a PHP variable, eg

<db-password>$database_password</db-password>

HTML:

Which would presumably then be stored safely in a PHP file - not the most of elegant solutions though

I'd love any suggestions at this point. I mean I realise that if an attacker has the ability to delete the .htaccess file then they in all likelihood have enough access to download settings.xml directly - am I being over paranoid here?

Thanks a lot as always xD

 

A simple Xor encryption should do the work.

 

Can you example code ?