Using INI files on PHP sites

I’ve built some personal web sites using PHP. I’ve been working on one site that I hope to bring public soon. The site will contain some personal information that must be encrypted. So I have been using code that is (hopefully) secure from potential exposure. There is data stored in a database, and some of that data will need to stay confidential to any outside hacks. The intent is to write code stores data securely, even if the source code files are compromised. Of course, it is difficult to do that level of security, but there are techniques that help with that.

One of the techniques, which I am documenting here (mostly for my own benefit), is to have some variable data used by the code pages stored in an area away from normal web access. Think of the credentials used for database access, for instance. That is data that needs to be used by the code, but should not appear in the the code files that use the data. So we need a way to store the variables data in an outside file for use by any code page that needs it.

There are several steps involved in this. First, we need to have a plain text file that contains the variables values. The data is stored in an array;in this example, the array is called ‘config’. Here is the file (parameters.txt) that defines the array that contains the variables


xProgram = “My Program Name”

xHeading1 = “The Heading 1 Text”

xHeading2 = “The Heading 2 Text”

xText = “This is the true text that belongs to the program”

Note that we have used double-quotes to surround text with space characters. That’s to ensure that there won’t be a problem (and an error) if the text string contains a reserved word (as in the xText value).

The process of reading the configuration file into a variable (let’s call it $xvariable), which will contain the arrays as defined in the configuration file. So the $xvariable array will contain those four values. We can reference each value with code similar to $xvariable[‘config’][‘xProgram’], which will contain the value of ‘My Program Name’, when you read the file contents into an array called $xvariable. You can put multiple array names within the brackets, if you need additional data arrays. And you might want to consider non-specific names for the variables, like using numbers instead of a descriptive name like we show above.

Now that we have created the parameters.txt file, we secure place to put it. Normally, you would want to place this file outside of the site root, but you may not have access outside of the site root on some shared hosting systems. So we will place it in a subfolder of the site root called ‘xini’. That makes the configuration file will be accessed as ‘./xini/parameters.txt’.

With the file in the ‘xini’ folder, we need to protect that folder (and any files within that folder) from prying eyes. This is done by putting the following commands in an ‘.htaccess’ file. These commands will prevent access to any file with a ‘txt’ extension.

<FilesMatch “\.txt$”>
Order allow, deny
Deny from all
< /FilesMatch>

There’s lots of other places that discuss .htaccess file, so go there if you need more info.

At this point, we have the configuration file built, stored in the ‘xini’ folder, and protected by the .htaccess file.

Next, we need a function to read the parameters.txt configuration file and make the ‘config’ array available to the other code pages. Here, we will use a function that we store in our functions ‘include’ file.

function show_ini() {
global $config;
// check for ini file there
if (file_exists(‘./xini/parameters.txt’)==0)  {
die (“Did not find the file.”);

// file found, read it into the $config array
$config = parse_ini_file(‘./xini/parameters.txt’);


We just call the show_ini file at the top of the functions.php file (the code file that contains all of the functions used by the program). Since all pages ‘include_once’ the functions.php file, the config array will be available to all code pages.

Note that we use the ‘global’ command at the beginning of the function so that the config array will be available outside of the scope of the function. Another note: you will have to ensure that the page that calls the function can get to the file using the path you specify in the file_exists and parse_ini_file, so adjust that as needed. And some additional error trapping, or a more friendly ‘die’ process would be useful to add.

But the process allows you to store confidential information outside of the code pages. Of course, access to all of the site’s source code files will be a concern, but (hopefully) there are other protections against that exposure.

[added 3 Oct 2014]

Found that the ini file can contain ‘//’ or ‘/*’ and ‘*/’ pairs. But you can’t put any parenthesis or square bracket characters in the ini file. If you do, the parameters in the ini file won’t be read.

Leave a Reply

Name and email are required. Your email address will not be published.