Up until now, I have been storing the root path of my site on my server in an .ini file outside of the public_html directory:
[settings]
home_url = 'http://www.example.com'
root_path = '/home/this/that/public_html'
And using by:
function parse_ini() {
$root = dirname(__FILE__);
return parse_ini_file($root.'/../../config.ini', true);
} // End parse_ini
function do_something() {
$ini = parse_ini(); // I now have $ini['settings']['root_path']
}
I feel good about this because the .ini file itself is not publicly accessible, and the only time I parse the file is within a function, so the scope of the data within the file is very limited. This is important as it contains my database credentials.
I am trying to get away from using the .ini file as much as possible, mainly due to the overhead of parsing the file several times per page load (since it's scope is always within a function).
What security implications might I face by putting the root path in a constant with a global scope?
define('ROOT_PATH', '/home/this/that/public_html');
I'm thinking of having only the database credentials in the .ini file, and moving everything else out of it. The only thing I haven't found a good place for yet is the root path on the server, and I am a little worried about any possible holes this would open up should someone come across it.