There is a useful solution to the problem of securing connection information in the PHP Cookbook (O'Reilly) by David Sklar and Adam Trachtenberg. They propose using 'SetEnv' in the Apache configuration and then accessing the values from within a script using $_SERVER.
Unfortunately using the 'SetEnv' solution exposes your connection information to all users of that virtual host. If they run phpinfo.php or display $_SERVER, I found that they will see the password from any file under the root of that virtual host.
To restrict exposure to a particular directory or specific file:
1. First put an 'Include' to the secret file in httpd.conf. For example:
Include "/web/private/secret.txt"
2. In the password file, use the 'SetEnvIf' directive to enable the Environment variables by directory only or within a specific file. For example:
- For all files in the directory:
SetEnvIf Request_URI "/path/to/my/directory" ORACLE_PASS=5gHj790j
- For a specific file in the directory
SetEnvIf Request_URI "/path/to/my/directory/connection.oracle.php" ORACLE_PASS=5gHj790j
