[PHP] Re: use of ini vs include file for configuration
Agreed. -- João Cândido de Souza Neto Tamara Temple tamouse.li...@gmail.com escreveu na mensagem news:977f087c-bb11--b851-21616ae9e...@gmail.com... I'm curious what the lists' opinions are regarding the use of an .ini file versus an include configuration file in PHP code are? I can see uses for either (or both). To me, it seems that an .ini file would be ideal in the case where you want to allow a simpler interface for people installing your app to configure things that need configuring, and an included PHP code configuration file for things you don't necessarily want the average installer to change. What do you think? Tamara -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: use of ini vs include file for configuration
On Thu, 2010-11-11 at 17:16 -0200, Jo?o C?ndido de Souza Neto wrote: Agreed. -- Joo Cndido de Souza Neto Tamara Temple tamouse.li...@gmail.com escreveu na mensagem news:977f087c-bb11--b851-21616ae9e...@gmail.com... I'm curious what the lists' opinions are regarding the use of an .ini file versus an include configuration file in PHP code are? I can see uses for either (or both). To me, it seems that an .ini file would be ideal in the case where you want to allow a simpler interface for people installing your app to configure things that need configuring, and an included PHP code configuration file for things you don't necessarily want the average installer to change. What do you think? Tamara There are potential security concerns involved too. An .ini file will be output as plain text by default by the web server if requested by a user agent unless it is protected somehow (by a .htaccess file for example) or it is outside of document root for the server. A PHP file on the other hand will be parsed, so won't output it's variables. It's all too easy to forget to protect an ini file from this sort of thing, whereas if you've written a website in PHP, it becomes fairly evident if your web server isn't configured for PHP without testing specifically for it! Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Re: use of ini vs include file for configuration
For configuration, I used to use .php file earlier. I just used array syntax to keep the config values. But now I use json syntax. Its easy like xml. Ini file is much more user friendly than json though. -- Shiplu Mokadd.im My talks, http://talk.cmyweb.net Follow me, http://twitter.com/shiplu Innovation distinguishes bet ... ... (ask Steve Jobs the rest)
RE: [PHP] Re: use of ini vs include file for configuration
-Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: Thursday, November 11, 2010 11:46 AM To: Jo?o C?ndido de Souza Neto Cc: php-general@lists.php.net Subject: Re: [PHP] Re: use of ini vs include file for configuration On Thu, 2010-11-11 at 17:16 -0200, Jo?o C?ndido de Souza Neto wrote: Agreed. -- Joo Cndido de Souza Neto Tamara Temple tamouse.li...@gmail.com escreveu na mensagem news:977f087c-bb11--b851-21616ae9e...@gmail.com... I'm curious what the lists' opinions are regarding the use of an .ini file versus an include configuration file in PHP code are? I can see uses for either (or both). To me, it seems that an .ini file would be ideal in the case where you want to allow a simpler interface for people installing your app to configure things that need configuring, and an included PHP code configuration file for things you don't necessarily want the average installer to change. What do you think? Tamara There are potential security concerns involved too. An .ini file will be output as plain text by default by the web server if requested by a user agent unless it is protected somehow (by a .htaccess file for example) or it is outside of document root for the server. A PHP file on the other hand will be parsed, so won't output it's variables. It's all too easy to forget to protect an ini file from this sort of thing, whereas if you've written a website in PHP, it becomes fairly evident if your web server isn't configured for PHP without testing specifically for it! Why would you put your configuration file in a ../htdocs folder? That's just poor design. Just as your classes and include files are OUTSIDE your document root, so must your config file be. Plus it's trivial to secure a .ini with a .htaccess or other apache method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: use of ini vs include file for configuration
On Thu, 2010-11-11 at 14:21 -0800, Daevid Vincent wrote: -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: Thursday, November 11, 2010 11:46 AM To: Jo?o C?ndido de Souza Neto Cc: php-general@lists.php.net Subject: Re: [PHP] Re: use of ini vs include file for configuration On Thu, 2010-11-11 at 17:16 -0200, Jo?o C?ndido de Souza Neto wrote: Agreed. -- Joo Cndido de Souza Neto Tamara Temple tamouse.li...@gmail.com escreveu na mensagem news:977f087c-bb11--b851-21616ae9e...@gmail.com... I'm curious what the lists' opinions are regarding the use of an .ini file versus an include configuration file in PHP code are? I can see uses for either (or both). To me, it seems that an .ini file would be ideal in the case where you want to allow a simpler interface for people installing your app to configure things that need configuring, and an included PHP code configuration file for things you don't necessarily want the average installer to change. What do you think? Tamara There are potential security concerns involved too. An .ini file will be output as plain text by default by the web server if requested by a user agent unless it is protected somehow (by a .htaccess file for example) or it is outside of document root for the server. A PHP file on the other hand will be parsed, so won't output it's variables. It's all too easy to forget to protect an ini file from this sort of thing, whereas if you've written a website in PHP, it becomes fairly evident if your web server isn't configured for PHP without testing specifically for it! Why would you put your configuration file in a ../htdocs folder? That's just poor design. Just as your classes and include files are OUTSIDE your document root, so must your config file be. Plus it's trivial to secure a .ini with a .htaccess or other apache method. Tell that to the developers of all the big names out there, phpMyAdmin, phpBB, CodeIgniter, et al. All of them, for ease of use, put all the config files in the htdocs directory by default, presumably so that they don't lock out those people who can only get hosting that does not allow much more than basic configuration. It might be poor design, but it's just the way things are, and if you're working with such hosting, it's worth bearing in mind what your options are. I did mention specifically about putting the config files outside of document root, but that's not always possible in every case. Thanks, Ash http://www.ashleysheridan.co.uk
