Monday, September 30, 2013

Using php to store sensitive data in XML

heyy folks,

I am really not going to tell the usual "back after a long time" thingy. Hell it's around an year since the last post. Yeah had busier times :). Nevermind, let's focus on today's topic. It's actually kinda old thing i wanted to document a long time before. First we need to identify the problem.


Storing sensitive data like database connection info [ ex: db username, db password] in an XML file

Why would we store them in XML database?

1) Obviously we cant store them in the database we are going to store other data since this file has the connection details of the database. So these info should be available separately

2) We could use few other means of storing data as well, but XML is so easy to use. Not to mention all the classes in php to handle XML parsing.

What's wrong with current methods?

Usually how this is done is simply storing those ultra secret stuff in an XML file and then preventing normal users from accessing it. ex: you can add htaccess rules to prevent access to it. But sometimes our server feature requirements are limited and mostly many web admins simply forget to protect these XML configurations.


Store XML inside a php file.
Now this would seem a bit odd. You might say "hey its just as same as storing them in plain text". NOPE, what i mean is store the XML data as a hard coded variable in a php script. Since php wont let a client see anything that isnt given to the output, the XML is now safe :)

Lets go to the real stuff.

Storing XML in php

quite simply, just put it in a variable

  1. <?php 
    //simply make a new variable xml and put the xml code
    //note that the XML code is put in a special way

  2. $xml = <<<XML
  3. <?xml version="1.0" standalone="yes"?>
  4. <config>
  5.     <secret>thisismypassword</secret>
  6. </config>
  7. XML
  8. ?>

Access data from php

Piece of cake ! the simpleXMLElement class will turn your XML to an object :D

  1. <?php
  2. //first import the settings.php
  3. // $xml variable is visible to this script
  4. include("settings.php")
  5. //simply make a new SimpleXMLElement object in php
  6. //this object will turn the XML configuration to an object, yeah that easy :D
  7. $config = new SimpleXMLElement($xml);
  8. //to access use xml data, simply use the object notation
  9. echo "my secret is : ";
  10. echo $config->secret;
  11. ?>

Edit and Save XML data from php

Now this is the only kinda tricky part. Here we actually have to write the php FILE manually with edited xml.
The good thing is that any changes to XML data is represented as XML by php. Hard part is writting the file without any errors.

  1. <?php
  2. //first import the settings.php
  3. // $xml variable is visible to this script
  4. include("settings.php")
  5. //lets change some data, i mean the only data which is the secret
  6. $config->secret = "mynewsecretpassword";
  7. //now we need any change done to XML in XML format, another bit of cake
  8. //asXML() method gives an object in XML format
  9. $editedXML = $config->asXML();
  10. //prepare the string to write CAREFULLY
  11. $toWrite = '<?php'.PHP_EOL.
  12.            '$xml = <<<XML'.PHP_EOL.
  13.            $editedXML.PHP_EOL.
  14.            'XML'.PHP_EOL.
  15.            '?>';
  16. //PHP_EOL is the php end of line, that's to add a line break
  17. //if you echo this, you'll see the settings.php as exactly
  18. //always manage errors when using file operations          
  19. try{
  20.         //now open the file settings.php to write edited XML
  21.         $file = fopen("settings.php",'w');
  22.         //write the new file
  23.         fwrite($file,$toWrite);
  24.         //close the stream
  25.         fclose($file);
  26. }catch(Exception $e){
  27.         die("Damnit error");
  28. }
  29. ?>

now if you goto settings.php from browser, you wont see a single thing :)
that's it ! Now you can store wonderful secrets and manage them as easily [or more easily] as using SQL :D

Hope for another one soon.

No comments:

Post a Comment