I’m writing a simple PHP script to access the Foursquare API. The PHP will always access the same Foursquare account. For the time being, I have this login information hardcoded in my script. What is the best way to secure this information?
If I follow the advice from this thread, I should just place the login information in a config file outside the website’s root directory:
How to secure database passwords in PHP?
Is this the best advice? Or is there a better way to secure the login information?
The best way, of course, would be to not store it at all.
If you can’t do that, storing it inside a PHP file (as variables) should ensure it’s not going to be sent to the client side. If you’re really paranoid about your web server suddenly stopping to interpret PHP, you can put it in a separate file, outside the document root, or where access is denied (through a .htaccess directive, for instance).
(There are linux-specific details here, so please forgive them if that’s not your platform…)
If you’re running on apache and have access to the configuration files (which may not be the case with shared hosting), you can put a line like this in your VirtualHost config (or httpd.conf, or other included config file):
SetEnv FOURSQUARE_PW "your password"
Then your php scripts can access it at
The advantage here is that you can make that config file readable only by root, since apache will be started as root using init.d.
storing it in a .php file as a variable outside the root directory in a filename that is not something easily guessed is a reasonable secure way of keeping your credentials safe. But if you can avoid storing it on the server at all then that would be best. Provide a login page to enter that information into upon demand to be used for the session and then discarded once you no longer need it.