Dan: >> 2) I store the db password and login info in a database.inc.php >> file. Is there any way I can prevent a person from getting the db >> pass even after he gets this file? > > Store that file outside the docroot. That way there is no chance they can > get it from the web site. I myself use an ini file that is no where near > the docroot, and use parse_ini_file() to load the DB information in, and > then I connect to it. This method passed our security audit with flying > colors.
Okay - this may be a dumb question - but if the file is named database.inc.php - how would someone get this file without having ftp or ssh or telnet access to the server. If they have access to the server - it would be just as easy to collect the information outside of the doc root, since that file has to be readable by the webserver also yes? Maybe I am missing something totally obvious, but if the server is set up to properly parse php files - having configs outside of the doc root should not make much of a security difference? -- Cheers Mike Morton **************************************************** * * Tel: 905-465-1263 * Email: [EMAIL PROTECTED] * **************************************************** "Indeed, it would not be an exaggeration to describe the history of the computer industry for the past decade as a massive effort to keep up with Apple." - Byte Magazine Given infinite time, 100 monkeys could type out the complete works of Shakespeare. Win 98 source code? Eight monkeys, five minutes. -- NullGrey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
