Is it safe to deny access to .ini file in .htaccess?

Question

I have a .ini file with sensitive information in my php wab app. I denied access to it using a .htaccess file:

<files my.ini>
  order deny,allow
  deny from all
</files>

I don't have access to folders outside of htdocs, so I can't move the .ini file out of browsable territory.

Is my solution safe?

Answer 1

The .htaccess will block access from the web. However, if you're using a shared hosting environment, it might be possible for other users to access your ini. If its on a (virtual private) server and you're the only user for that server you're safe.

In case of shared hosting it depends on server configuration. For more info read: PHP Security in a shared hosting environment

You can temporarily install PHPShell and browse through the server filesystem to check if your server is vulnerable. (requires some commandline knowledge)

Answer 2

Another good solution and my personal favourite (especially when developing code that might not remain under my stringent .htaccess control) is securing the actual .ini file. Thanks to a kind soul here - user notes: pd at frozen-bits dot de, what I do is:

my.ini -> changes to my.ini.php

my.ini.php starts off:

;<?php
;die(); // For further security
;/*
    [category]
    name="value"

;*/

Works perfectly! Access the file directly and all you see is ';' and it is a valid, parseable .ini file. What's not to like :)

A few notes on actual implementation (apologies if this counts as "overshare" but maybe save someone some time):

1. This file makes my IDE very Upset and it keeps trying to auto-reformat which then makes PHP Upset. Blessings be on Notepad++.
2. Don't forget the closing ;*/. It still works if you leave it out but PHP warns you that it is about to become Upset.

Sorted.

Answer 3

The file will not be visible from apache. Obviously the best option is to put it outside of your site's root. If you can't do that, .htaccess files (or similar directives in your apache configs) is pretty much your only option.