0

Say I have a file that contains a single password. It's blocked from Apache to deny access. Then, I create a PHP script that reads this file and does something with the contents (authenticates). Maybe my PHP script says 

$pswd = file_get_contents("pswd.txt");

Is this secure? Is there any way for someone to get the value of `$pswd? If the file is blocked from Apache, can it be considered private, even if a PHP script is reading it?

It doesn't need to be ultra-secure, there's no money involved. Potential attackers won't have too strong a motive. The only direct users of this will be on the iOS platform, so injecting malicious code into the password-based GitHub repo won't get very far through iOS' security.

Luke Taylor
  • 8,631
  • 8
  • 54
  • 92
  • Instead of having a password stored explicitly in a file, It's a better idea to hash/checksum the password, save that in a file, and then check that against the password the user types in. That way, there is no danger of the password getting stolen. – Majora320 Feb 21 '16 at 01:37
  • It's not a password a user types in. It's a single, fixed password that needs to be accessed by my web app. It will never change unless I change it manually. I just don't want to expose it in the code of the PHP script, which will be accessible when using the service. – Luke Taylor Feb 21 '16 at 01:38
  • You can find a little about that [here](https://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords?rq=1) – Majora320 Feb 21 '16 at 01:39
  • 1
    Why do you need the fixed password? – Majora320 Feb 21 '16 at 01:39
  • The web app needs to have partial write access to a GitHub repo. It needs to log in to the GitHub repo, using a password that is hidden to the user. – Luke Taylor Feb 21 '16 at 01:40
  • If it's to an API or similar, why not just edit the php file and put the password in the actual file? – Matt Feb 21 '16 at 01:41
  • Can't anyone who uses the service by going to a URL like example.com/myService.php?foo=abc then see the source of the PHP file? – Luke Taylor Feb 21 '16 at 01:42
  • If this were Java, you could just make the variable a `private char[]`, but it's not... – Majora320 Feb 21 '16 at 01:42
  • Is putting it in an Apache-blocked text file secure enough? (There's nothing too important depending on this. No money involved, potential attackers won't have too strong a motive.) – Luke Taylor Feb 21 '16 at 01:44
  • PHP is run on the server. Clients usually never see the source. The hidden text file is more prone to exposure. – mario Feb 21 '16 at 01:49

1 Answers1

2

It is possible and secure enought for you if you encrypt the data. A possible encryption that can be decrypted is openssl

$txtpass = "password in textfile";
$key = "password" // Encryption password to 'lock and unlock' the data
$iv = "1234567812345678";
$encrypted = openssl_encrypt($txtpass, 'AES-128-CBC', $key, 0, $iv);
$decrypted  = openssl_decrypt($txtpass, 'AES-128-CBC', $key, 0, $iv);

Use a htaccess file like this

<Files ~ "pswd.txt">
   Order allow,deny
   Deny from all
   Satisfy All
</Files>

and store an encrypted pass and youre good to go

Ramon Bakker
  • 1,075
  • 11
  • 24
  • Great. I'll look into this, then. Could you elaborate as to how exactly a file with Apache `Deny from all` is vulnerable, how might an attacker get at it? – Luke Taylor Feb 21 '16 at 01:53
  • I'm biased towards an unencrypted text file simply so that I can publish the PHP file on GitHub without modification, and have security anyway. Of course, I *could* change it before commit, but I'm lazy and would rather not. – Luke Taylor Feb 21 '16 at 01:59
  • DO NOT USE A STATIC IV; use a cryptographically random IV and store that IV, in the clear, along with your encrypted data in the text file. Generate a new random IV every time you change the password. DO NOT USE the $txtpass as the password itself, use something like PBKDF2 with high iterations, or even password_hash (BCrypt; pull out the hash itself and save the salt & work factor only). You're also using an [undocumented function](https://secure.php.net/manual/en/function.openssl-encrypt.php) as of PHP 7, which is probably a really bad idea. – Anti-weakpasswords Feb 21 '16 at 20:23
  • I know, but the security does'nt have to be high end security. Its just a little extra feature. Normally you can add the key to the end of the encrypted text. And i never stated to use the password from inside the file to use as the encryption key. Also, hex the data. – Ramon Bakker Feb 21 '16 at 20:29