New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: DotEnv loads DB password plaintext in $_SERVER #1969
Comments
I've never seen this be done. It's really up to the developer to make sure there are is no If an attacker gains access to your server, they're going to have access to your password anyways. I know AWS Encrypts DB passwords in transit when you're using KMS or Opsworks/ElasticBeanstalk, but that password is still visible if someone gets access to your apache conf files so encrypting it in codeigniter would be useless. Most IDE's have a way to check for things like phpinfo(). |
Gotcha, I'll follow you on this and say "dev problem" - closing. |
Thanks @Paradinight - cool feature I didn't know about! I wasn't so much worried about this for myself, but generally. But if others don't think it is the framework's responsibility to keep |
We should add a info in the documentation and in the env file. |
This might be considered and decided upon already, but I was surprised when I ran
phpinfo()
to check extensions that it includes Environment values and thus, my database password (in plaintext). Technically $_SERVER and environment variables should never be exposed, but practically there are a lot of stray calls tophpinfo()
which normally isn't ideal but doesn't display anything so compromising as DB connection info.The text was updated successfully, but these errors were encountered: