How to Include a Secure PHP Configuration File

When developing PHP applications, it’s important to keep your configuration files secure. A common mistake is placing these files under the web root, where they can potentially be accessed by anyone with a web browser. This guide will walk you through securely storing your configuration files outside of the web root and modifying your PHP setup to include them.

Why You Shouldn’t Store Configuration Files in the Web Root

Files stored in the web root are accessible via the web. If a user navigates directly to a configuration file that isn’t secured, the file could be displayed as plain text, exposing sensitive information. Even PHP files, which are usually executed on the server, could be exposed if the server is misconfigured. To prevent this, it’s recommended to store sensitive files, like your configuration files, outside of the web root.

Modifying Your PHP Setup

To include files located outside of the web root, you need to modify the include_path directive in the php.ini file. This directive tells PHP where to look for included files. Below are the steps to update your setup.

Step 1: Create an Includes Directory Outside the Web Root

First, navigate to the folder containing your document root. For example, if your document root is /Applications/MAMP/htdocs, navigate to /Applications/MAMP. Create a new folder called includes at this location.

Step 2: Move the Configuration File to the Includes Directory

Next, download and copy this sample configuration file: config-sample.php. Then, paste it into the new includes folder and rename it config.php.

Step 3: Update the php.ini File

Open the php.ini file in your editor. Locate the include_path directive and append the path to your includes directory.

In the php.ini file, find the include_path directive and append a colon (Mac) or semi-colon (Windows) followed by the path to the new includes folder to the end.

  1. On a Mac, the path will look something like this:
    ; UNIX: "/path1:/path2"
    include_path = ".:/Applications/MAMP/bin/php/php8.3.9/lib/php:/Applications/MAMP/includes"
  2. On Windows, the path will look something like this:
    ; Windows: "\path1;\path2"
    include_path = ".;c:\php\includes;c:\MAMP\includes"

Note that semi-colons at the beginning of lines in the php.ini file denote comments. If there is a semi-colon before the include_path line, you should remove it.

Step 4: Test Your Setup

To ensure everything is configured correctly, create a new PHP file named test-config.php in a directory under your web root. Copy and paste the following code into the file:

<?php
    $file = 'config.php';
    if ($path = stream_resolve_include_path($file)) {
        echo "<h1 class='success'>SUCCESS</h1><p>Found <em>$file</em> at <em>$path</em>";
    } else {
        echo "<h1 class='error'>FAIL</h1><p>Could not find <em>$file</em> in include folders.";
    }
    echo "<p>Your current <code>include_path</code> is " . ini_get('include_path');
?>

Run test-config.php in your browser by navigating to the appropriate URL (e.g., http://localhost/test-config.php). If your setup is correct, you should see a success message indicating that the config.php file was found.

If it fails, you will see a message indicating that the file could not be found.

If you encounter issues, try restarting your server and ensure the paths in the include_path directive are correct.

Why This Setup Is Important

Having your configuration file setup correctly is crucial for the security and functionality of your PHP applications. This setup ensures that your sensitive information remains secure, even if your web server is misconfigured. Additionally, later exercises in your PHP course will rely on this setup being in place, so it’s important to follow these steps carefully.

Once you have successfully completed this setup, you are ready to move on to more advanced topics, such as creating a dbConnect() function that securely connects to your database using the configuration file you’ve just secured.

Written by Nat Dunn. Follow Nat on Twitter.