I’m writing a simple PHP script to access the Foursquare API. The PHP will always access the same Foursquare account. For the time being, I have this login information hardcoded in my script. What is the best way to secure this information?
If I follow the advice from this thread, I should just place the login information in a config file outside the website’s root directory:
How to secure database passwords in PHP?
Is this the best advice? Or is there a better way to secure the login information?
The best way, of course, would be to not store it at all.
If you can’t do that, storing it inside a PHP file (as variables) should ensure it’s not going to be sent to the client side. If you’re really paranoid about your web server suddenly stopping to interpret PHP, you can put it in a separate file, outside the document root, or where access is denied (through a .htaccess directive, for instance).