Category: Security

Q: How to prevent Oauth2 app key and secret hard-coded in CakePHP?

Again Hi,

I have a small application that uses Oauth2 to interact with third party service provider. I'd like to know if there is any way to protect key/secret in source code that other people cannot access through git?

for example:

<?php
// in controller
$provider = new GOauth([
    'clientId'                => '{appKey}', //appKey
    'clientSecret'            => '{appSecret}',   //appSecret
    'redirectUri'             => 'http://example.com/your-redirect-url/'
]);

$provider->doStuff();

So far I have tried my best is to use Configure::load: (I think it is still "hard-coded")

Configure::load('my_file', 'default');
Configure::read('appKey')

Loading configuration files

Is there a better way to protect hard-coded variables in cake? 

Thanks,

Sam

SOLVED cakephp security
1 Answers
Accepted by Sam Dawson

Hi Sam:

Cakephp's configuration is a way to put sensitive data to config file, but you also have to git ignore before you commit and push to git.

Another approach is to use environment variables:

In PHP:

$sensitive_data = (empty($_ENV('ENVIRONMENT_VARIABLE')) ? null : $_ENV('ENVIRONMENT_VARIABLE');

or in preferred Cake way (from cake 2.0+), you can access env variable by

 $sensitive_data = env('ENVIRONMENT_VARIABLE'); //returns null on empty

function env() cakephp 2.0

function env() cakephp 3.0

PHP's environment variables

Hope env() will help you.