Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Websec.io:
Keeping Credentials Secure in PHP
Jun 27, 2018 @ 13:35:17

On the Websec.io site there's a new tutorial posted showing a potential method for keeping secrets safe in PHP-based applications.

One of the most difficult things in any kind of application (not just web applications) is how to protect "secret" values. These values might be API keys, database passwords or even special bypass codes. Ideally, you're not having to define these directly in the application and can have them loaded from another source.

While a lot of the issues around protecting secrets can be removed by better secret handling, it seems like there's still always a need for some kind of secret value to exist in an application. Using this sort of pattern is, obviously, recommended against. The Common Weakness Enumeration database even has an entry specifically about it: CWE-798. Hard-coding credentials, especially plain-text ones, can be a huge risk if an attacker were able to somehow access the code and read them directly.

The post then goes on to talk about specific issues with secrets/credentials handling in PHP and some of the common approaches (mostly using a .env file). It covers some of the basics of using the phpdotenv package before getting into the encryption of the secrets it contains. It makes the recommendation of using an "Apache pull" method to pull in the encryption key when Apache starts, putting it into an environment variable and using the psecio/secure_dotenv library to work with the encrypted values.

tagged: security encryption secret tutorial package phpdotenv

Link: https://websec.io/2018/06/14/Keep-Credentials-Secure.html

Jolicode Blog:
What you need to know about environment variables with PHP
Oct 12, 2017 @ 09:57:35

On the Jolicode Blog there's a new post covering something not often mentioned in PHP development: environment variables. In this tutorial the author provides what you "need to know" about these variables and how to more effectively use them in your applications.

Environment variables for configuration are today’s best practice for application setup – database credentials, API Keys, secrets and everything varying between deploys are now exposed to the code via the environment, instead of configuration files or worse, directly hard-coded. Let’s dive into: how does it work, is it really a good idea, how to deal with them in PHP and finally some recommendations and common errors to avoid – with some real world traps we fell into!

They start with a "101" look at environment variables, covering what they are and how they can be referenced from your code (both in the web server and on the command line). They briefly talk about the potential danger in their use and using a .env file to store and read them rather than having them as web server configuration options. The post also includes examples of importing these values using various libraries and some of the common pitfalls that can come with their use.

tagged: environment variables tutorial introduction phpdotenv env

Link: https://jolicode.com/blog/what-you-need-to-know-about-environment-variables-with-php

Matt Stauffer:
Environment-Specific Configuration for CraftCMS Using PHPDotEnv
Sep 25, 2015 @ 10:13:21

In this post to his site Matt Stauffer shows a more real-word example of how the phpdotenv library can make configuration of your application simpler. He shows how it can be applied to a Craft CMS installation to manage domain-specific configuration details.

Craft is a fantastic CMS, but every CMS shows some pain points when you have a large team working on the same site at the same time. One of these points for me is Craft's native multi-environment configuration options, which allow you to define configuration options based on the domain name.

[...] This is great, but it's limited: You're hard-coding the configuration details into your code, which sometimes means putting sensitive information into your version control. Every developer's local installs either all have to have different domains, or if they use the same domain they need to all have the same configuration settings. And something just feels dirty about the codebase having such knowledge of every place it's going to be deployed.

He introduces the phpdotenv library and how you define its simple .env file with a basic INI structure. He then shows how to add the phpdotenv library to your installation:

  • adding it to the list of Composer installed libraries
  • update your front controller to load the configuration
  • define the .env file with your settings
  • ignore it via .gitignore

With these steps in place you can then update the Craft configuration with calls to getenv in all the right places to pull items from the phpdotenv configuration.

tagged: phpdotenv env configuration craftcms example environment tutorial

Link: https://mattstauffer.co/blog/environment-specific-configuration-for-craftcms-using-phpdotenv