How to securely store the API key?

C

CrazyMode2017-05-22 09:48:32

PHP

CrazyMode, 2017-05-22 09:48:32

I'm making a website - a personal account.
Works via api.
Actually, the key is stored on the site, when a request is made via curl, via get or post, the key is picked up, joined with the parameter string, md5 encoded and how the header is sent to the server.
Actually, I'm a complete layman, and so far I've done this: the
db.php file with the connection parameters is in the .htaccess folder in which deny from all.
The file is not accessible. Only if the server itself asks.
At the same time, the key itself is not stored in db.php, the key is located outside the html folder. tobish outside the request field. After all, it is impossible to access this address localhost/../secret/secret.php where ../ is a transition to a higher level, as in the file system.
Or is it possible?
In general, advice for a noob, on protecting the key.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey Sokolov, 2017-05-22
@CrazyMode

You can usually access files one level higher, and they do it: the project folder and a subfolder into it, the root of the website:

/var/www/Project/
  .secret_data.php
  public_html/
    index.php  <-- отсюда подключается "../.secret_data.php"

And the database access parameters and API keys should be stored in such a place. More often, their values are loaded into the environment array during execution, $_ENVand $_SERVERtaken from there if necessary. Roughly example .secret_data.php:

$params = array(
  'API_KEY' => '3pyWtP7KYVheJWkftdchJLWhwUcK8Rdw',
  'DB_HOST' => '127.0.0.1',
  'DB_USER' => 'root',
  'DB_PASS' => 'secret',
);
$_ENV = array_merge( $_ENV, $params);
$_SERVER = array_merge( $_SERVER, $params);

A common solution is to use the vlucas/phpdotenv package , which loads "secret" data from a file.env