Security: DotEnv loads DB password plaintext in $_SERVER

[MGatner]

This might be considered and decided upon already, but I was surprised when I ran phpinfo() to check extensions that it includes Environment values and thus, my database password (in plaintext). Technically $_SERVER and environment variables should never be exposed, but practically there are a lot of stray calls to phpinfo() which normally isn't ideal but doesn't display anything so compromising as DB connection info.

[albertleao]

I've never seen this be done. It's really up to the developer to make sure there are is no phpinfo() around in the code. It's the equivalent of trying to encrypt passwords for the reason that developers have echo $my_password somewhere in the code. At the end of the day, there's only so much you can do to prevent a developer from following bad practices.

If an attacker gains access to your server, they're going to have access to your password anyways. I know AWS Encrypts DB passwords in transit when you're using KMS or Opsworks/ElasticBeanstalk, but that password is still visible if someone gets access to your apache conf files so encrypting it in codeigniter would be useless.

Most IDE's have a way to check for things like phpinfo().

[MGatner]

Gotcha, I'll follow you on this and say "dev problem" - closing.

[Paradinight]

@MGatner Use https://www.php.net/manual/en/ini.core.php#ini.disable-functions

[MGatner]

Thanks @Paradinight - cool feature I didn't know about! I wasn't so much worried about this for myself, but generally. But if others don't think it is the framework's responsibility to keep $_SERVER clean then I won't worry about it.

[Paradinight]

We should add a info in the documentation and in the env file.