How secure is storing DB variables with SetEnv or in php.ini?

Question

I don\'t like storing sitewide crypto keys and DB access information under document_root, so I was using Apache\'s SetEnv and php.ini files under conf.d to separate these fr

Answer 1

It's common practice to use store non-public files outside of document_root. A typical layout could be this:

.../myProject
.../myProject/documentRoot
.../myProject/documentRoot/.... 
.../myProject/nonPublicFiles
.../myProject/nonPublicFiles/...

Store your PHP stuff in documentRoot and all non-public stuff in nonPublicFiles. documentRoot would be the Apache document_root of the vHost. Since nonPublicFiles is outside, Apache won't answer request.

Recarding security, SetEnv or *.ini tend to be equivalent: In case someone gains rights to execute arbitrary PHP-Code, both ways provide the sensible information to this code.

I'd prefer the SetEnv and *.ini method, since Apache won't disclose these details itself. A script is required.

Misconfiguration may disclose the contents of nonPublicFiles even without a script.

If case you are going to use nonPublicFiles, prepare upfront a script, which checks if everything is set up fine and forward an email, if it found problems. Probably call it using CRON.