Use an external configuration file. #2
Comments
|
That's why other implementations use a ~/.photobackup INI file to store this. Plus, with the help of Nick Thomas (the Go server implementation maintainer), I do not store the SHA-512 hashed password anymore (though it can be still be here for backward compatibility during API v2) in this file, but a Bcrypt version of it. You can see the implementation in the Python or Go implementations. Do you think it would be possible to do the same in PHP? I should better document such features, there's a server.md file in the API repository, but it is not accurate anymore... |
|
An API should only specify how software talks with a server, not how a server works, so it doesn’t really matter how and where this is specified. The problem with PHP is not so much what it can and can’t read, the problem is what hosting providers will allow. I want this implementation to be easy to use for anyone, no matter what hosting provider they want to run it on. Very few hosting providers will allow me to read and write from arbitrary paths like the user directory, so that is definitely out. Another problem, which is why this issue has the documentation label attached, is that we need to explain to people that an external configuration file only works when put outside of the server’s public directory. Some hosting might not allow you to upload outside of there, in which case it is safer to stick with the current format. A .photobackup or config.ini file in the public directory will just be readable by everyone and that mistake is easily made. |
|
Ok, so this is kinda specific to PHP, right? In this case, I let to you how to handle it in the proper manner. Considering what you said about the API and in order to provide documentation to developers who want to help us, do you think we should:
|
Fixes PhotoBackup#2: index.php is now considered a configuration file (which loads the server at the end). To avoid conflicts during update the index.php is not committed to repository, instead a index.php.example is provided. It is also possible to move index.php somewhere outside the document root and include it from the real index.php (see instructions in the index.php.example). The whole project is now a Composer package. Composer is not neccessary when running this as standalone server, but it allows to use this project as a library.
Fixes PhotoBackup#2: index.php is now considered a configuration file (which loads the server at the end). To avoid conflicts during update the index.php is not committed to repository, instead a index.php.example is provided. It is also possible to move index.php somewhere outside the document root and include it from the real index.php (see instructions in the index.php.example). The whole project is now a Composer package. Composer is not neccessary when running this as standalone server, but it allows to use this project as a library.
Fixes PhotoBackup#2: index.php is now considered a configuration file (which loads the server at the end). To avoid conflicts during update the index.php is not committed to repository, instead a index.php.example is provided. It is also possible to move index.php somewhere outside the document root and include it from the real index.php (see instructions in the index.php.example). The whole project is now a Composer package. Composer is not neccessary when running this as standalone server, but it allows to use this project as a library.
Fixes PhotoBackup#2: index.php is now considered a configuration file (which loads the server at the end). To avoid conflicts during update the index.php is not committed to repository, instead a index.php.example is provided. It is also possible to move index.php somewhere outside the document root and include it from the real index.php (see instructions in the index.php.example). The whole project is now a Composer package. Composer is not neccessary when running this as standalone server, but it allows to use this project as a library.
Fixes PhotoBackup#2: index.php is now considered a configuration file (which loads the server at the end). To avoid conflicts during update the index.php is not committed to repository, instead a index.php.example is provided. It is also possible to move index.php somewhere outside the document root and include it from the real index.php (see instructions in the index.php.example). The whole project is now a Composer package. Composer is not neccessary when running this as standalone server, but it allows to use this project as a library. Also, it fixes PhotoBackup#6 - a missing parameter in checking for duplicates.
Passwords are best stored away from third-parties, and although PHP code should not be readable it is not unheard of to have a server misconfiguration leak PHP code in plaintext.
By storing the configurations (including the password) in an external file, this file can be put outside of the publicly accessible server directory.
The text was updated successfully, but these errors were encountered: