0

I know one solution is to put the .ini file outside the webroot, but I want to have a config file as part of the source tree of my webapp.

Since I want to put database passwords in it, I need to make sure its not accessible from typing www.drstrangelove.com/missile_codes.ini

I want to beleive there is an apache config setting for this but I don't know what it is or what to type in google to find out.

Matt
  • 3,778
  • 2
  • 28
  • 32

3 Answers3

4

You can use .htaccess for that:

<Files "*.ini">
order deny,allow
deny from all
</Files>

Or (if you want just the single .ini file): replace the * with the filename.

Tobias
  • 7,238
  • 10
  • 46
  • 77
2

While Tobiask's answer gets you what you need I would think a better solution would be to keep the .ini file outside of your htdocs (or www) directory so it can't be delivered by apache in the first place.

Jason
  • 15,017
  • 23
  • 85
  • 116
  • Check this question: http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php – Jason Jan 13 '11 at 13:34
  • @Matt As well as being good practice, by moving the file outside of the webroot, you limit your exposure to /other/ vulnerabilities that may exist in other parts of the web server or web application(s) installed on that machine. – Cheekysoft Jan 13 '11 at 17:12
1

If you can't use the .htaccess file you can always cheat: rename your ini file in something like config.ini.php;

Put this at the very first line:

#<?php exit; ?>
user=username
pass=secret

In this way, if you try to call the ini file via webserver, the PHP code will be executed, otherwise the function parse_ini_file will skip the first line since it is commented ("#")

Hope this help

Francesco Laurita
  • 23,434
  • 8
  • 55
  • 63