1

I am improving the security on my php website. I am not using any frameworks or cms. The credentials are currently stored in plain text in the relevant php files. While researching, I came across this question Why use .ENV? What's wrong with storing secrets in a config.php file outside root directory?

The first answer by Schwern makes the argument that .ENV variables are fine and

".ENV is a convenience and, ideally, is not used in production"

I do not have the reputation to comment so can anyone explain what should "ideally" be used in production?

jdf
  • 11
  • 1

1 Answers1

1

The first answer by Schwern makes the argument that .ENV variables are fine and

".ENV is a convenience and, ideally, is not used in production"

Before that line, you skipped this line:

To clarify, the security and flexibility are gained by putting secrets into environment variables.

If you're not comfortable using .ENV, then just pass the credentials as environment variables. .ENV is just a convenience around environment variables.

The credentials are currently stored in plain text in the relevant php files

From a security POV, storing credentials in a plain text vs. passing them as environment variables is functionally equivalent. You're not making your website more secure by making this change.

The context for that question was storing plain-text secrets in the code repository vs. passing them through .ENV, and which approach was more secure. Unless your situation is similar, that answer is irrelevant

verybadalloc
  • 146
  • 3
  • https://phptherightway.com/#configuration_files It would be nice if there were more explicit standards for handling credentials in production. Wordpress encrypts the credentials in the wp-config file, is it worth attempting to implement something similar? At first glance it's confusing how the db password is decrypted for db operations. – jdf May 23 '21 at 00:54
  • Seems that just proper file permissions should do the trick. Have a look here: https://artisansweb.net/correct-file-permissions-wordpress/ – verybadalloc May 24 '21 at 09:02
  • thanks for the link. Sorry if I'm being obtuse but I'm not following how file permissions relate to the question or comment. I understand storing plaintext credentials is acceptable in a config file as long as permissions are set appropriately. Is that what you're referring to? I haven't had a chance to research how wp decrypts user passwords and it's not clear from the code. – jdf May 25 '21 at 06:43
  • Yes, storing plaintext credentials is acceptable in a config file as long as permissions are set appropriately *on said config file*. And no need to apologize; this is a Q&A site, and you're asking a question :) – verybadalloc May 25 '21 at 06:52