Jump to content

Securing Server Log-In Info

doubledee

By doubledee
in PHP Coding Help

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

I am building an e-commerce site and have a security question.

 

My Payment Gateway has given me "Log-In ID" and "Transaction Key" that I use to log in to their server to submit payments.

 

What is a *reasonable* way to protect this information?

 

I have a VPS with root access, although I'm relying on using sFTP and the Plesk Control Panel since I don't know SSH yet.

 

Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it?

 

Would that be secure enough for now?

 

Thanks,

 

 

 

Debbie

 

 

 

 

Link to comment
Share on other sites
ohdang888 Advanced Member

ohdang888

Posted
Posted

Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it?

 

Would that be secure enough for now?

 

In my knowledge, yes, that would be sufficient for most businesses. But i'm interested to see what others have to say about this as well

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it?

 

Would that be secure enough for now?

 

In my knowledge, yes, that would be sufficient for most businesses. But i'm interested to see what others have to say about this as well

 

I realize that I can get into encrypting the values and storing them in a MySQL database, but I'm hoping my suggestion above, is good enough to get started.

 

 

Debbie

 

Link to comment
Share on other sites
Fadion Newbie

Fadion

Posted
Posted

I guess storing them in a PHP file would be enough. Whatever someones does, will only get the file parsed as HTML, so no actual information can be retrieved. If you want to be over-defensive, just place the file outside document root and simply include it. It would be quite impossible for someone to access those data, even more secure than encrypted in a database (sql injections can be found and hashes aren't impossible to "break").

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

I guess storing them in a PHP file would be enough. Whatever someones does, will only get the file parsed as HTML, so no actual information can be retrieved. If you want to be over-defensive, just place the file outside document root and simply include it. It would be quite impossible for someone to access those data, even more secure than encrypted in a database (sql injections can be found and hashes aren't impossible to "break").

 

Okay, so can you help me with the code?  (I've always been a wimp with arrays?!)

 

Here is my current code with strings hard-coded in the array...

 

// Assign Form Data to Post Array.
$post_values = array(
"x_login" => "someValue",
"x_tran_key" => "anotherValue",

 

 

What is the most efficient way to get my "Login ID" and "Transaction Key" from a file located out of my Web Root into this array??

 

In other words, I'm trying to avoid storing it somewhere temporarily that could defeat using my include.

 

Is there a way to include a file with those values but not make it available to the world?

 

 

 

Debbie

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Is there a way to include a file with those values but not make it available to the world?

 

As long as the file isn't served as plain text it won't be viewable.

 

A few things...

 

1.) I know this is probably a super dumb question, but regardless of where the data comes from, how do I convert this code to work with variables??

 

$post_values = array(
"x_login" => "someValue"

 

Do I do this...

 

$post_values = array(
"x_login" => "$someVariable"

 

 

Or this...

$post_values = array(
"x_login" => $someVariable

 

 

2.) So do you agree with the previous advice that it is secure enough for starters to include a PHP file located outside my Web Root that contains my Payment Gateway "Login Id" and "Transaction Key"??

 

Eventually I'd like to encrypt them and store them in a database, but one step at a time as long as it is reasonably secure.

 

 

3.) Does it matter where I store the file outside of my Web Root?  (Linux server)

 

Thanks,

 

 

 

Debbie

 

 

 

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

Variables are not required to be within quotes, so the later example is fine.

 

Also, you could just as easily store this file within your web root, as I said, as long as it's not served as plain text it's contents will not be visible. Of course, it however going to be safer to store it outside your web root in case your server suffers a misconfiguration and starts serving PHP as plain text. Where outside your web root does not matter.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Variables are not required to be within quotes, so the later example is fine.

 

Also, you could just as easily store this file within your web root, as I said, as long as it's not served as plain text it's contents will not be visible. Of course, it however going to be safer to store it outside your web root in case your server suffers a misconfiguration and starts serving PHP as plain text. Where outside your web root does not matter.

 

So in my Payment Form I would do something like this...

 

<?php	require_once('/var/www/vhosts/MyWebsite.com/SomeOtherDirectory/gateway_config.inc.php');	?>

 

 

 

Debbie

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.