Best practice around managing variables

Question

In teaching myself PHP, I have come against a bit of a concern around security. I would very much appreciate some input on the two options below. Likely they are both wrong, although both work... But I would prefer to build on a proper solution.

I referenced this, and they indicate a few other options, but it is from 7 years ago... I also looked at this, but I am not understanding a single thing in that detailed answer!

The idea is to place all my variables inside a JSON file named global.json in order for Puppet to maintain changes in hostnames, passwords, API tokens etc. So it is fairly sensitive information.

The global.json file is protected via a Directory directive.

It is instantiated via a variables.php file:

<?php
  $data = file_get_contents('includes/global.json');
  $config = json_decode($data);

  // Database Variables
  $database_host = $config->{'database'}->{'host'};
  $database_user = $config->{'database'}->{'username'};
  $database_password = $config->{'database'}->{'password'};
  $database_name = $config->{'database'}->{'database'};
  $database_port = $config->{'database'}->{'database'};
?>

My main question is around the database functions.

Before I used a JSON file, I would include a dbcontroller file:

class DBController {    
    private $host = "192.168.50.3";
    private $user = username;
    private $password = password;
    private $database = database_name;
    private $port = 5432;
    private $conn;

    function __construct() {
        $this->conn = $this->connectDB();
    }

    function connectDB() {
        $conn = pg_connect("host=$this->host dbname=$this->database user=$this->user password=$this->password");
        return $conn;
    }

function runQuery($query) {
    $result = pg_query($this->conn,$query);
    $resultset = pg_fetch_all($result);

    if(!empty($resultset)) {
        return $resultset;
    }
}

}

But, using the JSON file, I 'have' to update that to:

class DBController {    
    private $conn;

    function __construct() {
        $this->conn = $this->connectDB();
    }

    function connectDB() {
        require_once 'includes/variables.php';
        $conn = pg_connect("host=$database_host dbname=$database_name user=$database_user password=$database_password");
        return $conn;
    }

    function runQuery($query) {
        $result = pg_query($this->conn,$query);
        $resultset = pg_fetch_all($result);

        if(!empty($resultset)) {
            return $resultset;
        }
    }
}

Is the implementation I use via JSON, (by including the file in the connectDB function) an accepted or at least a proper way to do this?

I suspect a first step will be to place the globals.json file outside the doc root rather than jsut rely on the directive, but any other advise or recommendations?

Many systems these days will use environment variables to accomplish this job. This is especially handy when you're deploying applications on docker-like infrastructure. For local development, you can use a package like dotenv to get settings from a file. — Evert, Jan 06 '20 at 06:27
wow yeah, I have not considered this approach, but you are correct, this is certainly an option. Initiate them using https://www.php.net/manual/en/function.getenv.php ? — Werner, Jan 06 '20 at 06:34
Apologies, you mention this is for local development, how would this change on production systems?Or is the only change there where they will be defined, eg `/etc/profile` or `~/.bashrc`? — Werner, Jan 06 '20 at 06:39
This is getting a bit beyond the scope of the original question, but it highly depends on how this is deployed. I would use `dotenv` for local development. On production you might be able to set environment variables in your nginx or apache vhost, or when configuring a docker container. — Evert, Jan 06 '20 at 06:41

Best practice around managing variables

0 Answers0